ebtables: ip and ip6 matches depend on protocol match

This is consistent with legacy ebtables, also avoids invalid
combinations like '-p IPv6 --ip-source 1.2.3.4'.

Signed-off-by: Phil Sutter <phil@nwl.cc>

diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
index 83cbe31559d4b3216b2b6e6c9edb562eee0c5ff7..b9983b203f6d0601398e98c97f9bd02dcb7704c0 100644 (file)
--- a/iptables/nft-bridge.c
+++ b/iptables/nft-bridge.c
@@ -104,11 +104,18 @@ static int
 nft_bridge_add_match(struct nft_handle *h, const struct ebt_entry *fw,
                     struct nftnl_rule *r, struct xt_entry_match *m)
 {
-       if (!strcmp(m->u.user.name, "802_3") &&
-           !(fw->bitmask & EBT_802_3))
+       if (!strcmp(m->u.user.name, "802_3") && !(fw->bitmask & EBT_802_3))
                xtables_error(PARAMETER_PROBLEM,
                              "For 802.3 DSAP/SSAP filtering the protocol must be LENGTH");
 
+       if (!strcmp(m->u.user.name, "ip") && fw->ethproto != htons(ETH_P_IP))
+               xtables_error(PARAMETER_PROBLEM,
+                             "For IP filtering the protocol must be specified as IPv4.");
+
+       if (!strcmp(m->u.user.name, "ip6") && fw->ethproto != htons(ETH_P_IPV6))
+               xtables_error(PARAMETER_PROBLEM,
+                             "For IPv6 filtering the protocol must be specified as IPv6.");
+
        return add_match(h, r, m);
 }