nft: use payload matching for layer 4 protocol

This is an IPv4 header, which does not require the special handling
as in IPv6, use the payload matching instead of meta l4proto which
is slightly faster in this case.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Phil Sutter <phil@nwl.cc>

diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index d67d8198bfaf0155fa9107bc7ece16c7ed8474e9..2a5d25d8694e77cf4c5a22d80645f27acad2f36d 100644 (file)
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -61,7 +61,8 @@ static int nft_ipv4_add(struct nft_handle *h, struct nftnl_rule *r,
 
        if (cs->fw.ip.proto != 0) {
                op = nft_invflags2cmp(cs->fw.ip.invflags, XT_INV_PROTO);
-               add_l4proto(h, r, cs->fw.ip.proto, op);
+               add_proto(h, r, offsetof(struct iphdr, protocol),
+                         sizeof(uint8_t), cs->fw.ip.proto, op);
        }
 
        if (cs->fw.ip.flags & IPT_F_FRAG) {