From 4195a89ab2e2bd690ba255e40a5c3d309f031796 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 2 Feb 2024 13:14:29 +0100
Subject: nft: Do not omit full ranges if inverted

Otherwise this turns a never matching rule into an always matching one.

Fixes: c034cf31dd1a9 ("nft: prefer native expressions instead of udp match")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 iptables/nft.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'iptables/nft.c')

diff --git a/iptables/nft.c b/iptables/nft.c
index c2cbc9d7..dae6698d 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1324,7 +1324,7 @@ static int add_nft_tcpudp(struct nft_handle *h,struct nftnl_rule *r,
 		return 0;
 	}
 
-	if (src[0] || src[1] < 0xffff) {
+	if (src[0] || src[1] < UINT16_MAX || invert_src) {
 		expr = gen_payload(h, NFT_PAYLOAD_TRANSPORT_HEADER, 0, 2, &reg);
 		if (!expr)
 			return -ENOMEM;
@@ -1335,7 +1335,7 @@ static int add_nft_tcpudp(struct nft_handle *h,struct nftnl_rule *r,
 			return ret;
 	}
 
-	if (dst[0] || dst[1] < 0xffff) {
+	if (dst[0] || dst[1] < UINT16_MAX || invert_dst) {
 		expr = gen_payload(h, NFT_PAYLOAD_TRANSPORT_HEADER, 2, 2, &reg);
 		if (!expr)
 			return -ENOMEM;
-- 
cgit v1.2.3