iptables-nft: fix -f fragment option

This needs to be passed in network byte order.

Reported-by: Arno van Amersfoort <arnova@rocky.eld.leidenuniv.nl>
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1292
Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index 6a8a7cedf6e349fbe84e0f30ff9dcf40223436ff..ffb439b4a1128ea8be659d550b9e91a643245709 100644 (file)
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -64,7 +64,7 @@ static int nft_ipv4_add(struct nftnl_rule *r, void *data)
                add_payload(r, offsetof(struct iphdr, frag_off), 2,
                            NFT_PAYLOAD_NETWORK_HEADER);
                /* get the 13 bits that contain the fragment offset */
-               add_bitwise_u16(r, 0x1fff, 0);
+               add_bitwise_u16(r, htons(0x1fff), 0);
 
                /* if offset is non-zero, this is a fragment */
                op = NFT_CMP_NEQ;