xtables: fix missing protocol and invflags

xtables -I INPUT -p tcp --dport 22 -j ACCEPT
iptables: Target problem. Run `dmesg' for more information
x_tables: ip_tables: tcp match: only valid for protocol

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index ac2b27b8bbeff2bdc765cad9336e25cf702b548a..0a601243ce80f753d0a73f5fb8d91b78f2d702ce 100644 (file)
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -60,6 +60,8 @@ static int nft_ipv4_add(struct nft_rule *r, struct iptables_command_state *cs)
                add_cmp_u16(r, 0, op);
        }
 
+       add_compat(r, cs->fw.ip.proto, cs->fw.ip.invflags);
+
        return cs->fw.ip.flags;
 }
 

diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index a2e8030657498ef1edcfca56581a2fec7c0fd208..65a894900541f355269195946020e3e97615effe 100644 (file)
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -42,6 +42,8 @@ static int nft_ipv6_add(struct nft_rule *r, struct iptables_command_state *cs)
                add_proto(r, offsetof(struct ip6_hdr, ip6_nxt), 1,
                          cs->fw6.ipv6.proto, cs->fw6.ipv6.invflags);
 
+       add_compat(r, cs->fw6.ipv6.proto, cs->fw6.ipv6.invflags);
+
        return cs->fw6.ipv6.flags;
 }
 

diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index f55d6f685cb8747d88d5183f84846d6c97d86eab..b301d4112139f9f3688d2685e31cb93cf92895ef 100644 (file)
--- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h
@@ -63,6 +63,7 @@ void add_addr(struct nft_rule *r, int offset,
              void *data, size_t len, int invflags);
 void add_proto(struct nft_rule *r, int offset, size_t len,
               uint32_t proto, int invflags);
+void add_compat(struct nft_rule *r, uint32_t proto, bool inv);
 
 bool is_same_interfaces(const char *a_iniface, const char *a_outiface,
                        unsigned const char *a_iniface_mask,

diff --git a/iptables/nft.c b/iptables/nft.c
index f39f40716baafbbdcae486116efe407db8540cdc..e55c18c10a512c593ee46430310976e163d29c94 100644 (file)
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -664,7 +664,7 @@ static void add_counters(struct nft_rule *r, uint64_t packets, uint64_t bytes)
        nft_rule_add_expr(r, expr);
 }
 
-static void add_compat(struct nft_rule *r, uint32_t proto, bool inv)
+void add_compat(struct nft_rule *r, uint32_t proto, bool inv)
 {
        nft_rule_attr_set_u32(r, NFT_RULE_ATTR_COMPAT_PROTO, proto);
        nft_rule_attr_set_u32(r, NFT_RULE_ATTR_COMPAT_FLAGS,