nft-arp: wrong condition in parse_payload

the current condition doesn't permit to parse ip addresses
when they should be. Obviously they are not printed.

arptables-compat -A INPUT -s 1.1.1.1 -i eth0 -j ACCEPT
arptables-compat -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
-j ACCEPT -i eth0

Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
index 1af720293648b5e6893117b3485adedfdec6fbf6..3af1b4bfc47fc69ff504367f5c7c1dcf762a872d 100644 (file)
--- a/iptables/nft-arp.c
+++ b/iptables/nft-arp.c
@@ -345,7 +345,7 @@ static void nft_arp_parse_payload(struct nft_rule_expr_iter *iter,
                        fw->arp.invflags |= ARPT_INV_ARPOP;
                break;
        default:
-               if (!fw->arp.arhln)
+               if (fw->arp.arhln < 0)
                        break;
 
                if (offset == sizeof(struct arphdr) + fw->arp.arhln) {