xtables: Don't pass full invflags to add_compat()

The function expects a boolean, not a bitfield. This bug caused
inversion in another match to carry over to protocol match by accident.
The supplied testcase contains rules which then fail because they
contain matches requiring that protocol.

Fixes: 4ef77b6d1b52e ("xtables: fix missing protocol and invflags")
Fixes: 4143a08819a07 ("ebtables-compat: add nft rule compat information to bridge rules")
Signed-off-by: Phil Sutter <phil@nwl.cc>

diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
index 386da8693b03ab956a6fd1a95e4d526e319cd308..7dcc0c1adc41882dbb1bc60abc5b6a610f514d87 100644 (file)
--- a/iptables/nft-bridge.c
+++ b/iptables/nft-bridge.c
@@ -222,7 +222,7 @@ static int nft_bridge_add(struct nftnl_rule *r, void *data)
                add_cmp_u16(r, fw->ethproto, op);
        }
 
-       add_compat(r, fw->ethproto, fw->invflags);
+       add_compat(r, fw->ethproto, fw->invflags & EBT_IPROTO);
 
        for (iter = cs->match_list; iter; iter = iter->next) {
                if (iter->ismatch) {

diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index eaf861d1f76e7ee16e82b48b9686bea497189653..4f31a516bd1057d90ef34b7140fa26f589110f1b 100644 (file)
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -75,7 +75,7 @@ static int nft_ipv4_add(struct nftnl_rule *r, void *data)
                add_cmp_u16(r, 0, op);
        }
 
-       add_compat(r, cs->fw.ip.proto, cs->fw.ip.invflags);
+       add_compat(r, cs->fw.ip.proto, cs->fw.ip.invflags & XT_INV_PROTO);
 
        for (matchp = cs->matches; matchp; matchp = matchp->next) {
                /* Use nft built-in comments support instead of comment match */

diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index fa5b8c89f3db630f652e808b7f12eb68c4fbe342..c651b16d7a8d1ffd62be7c08066aee0859c6d9da 100644 (file)
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -60,7 +60,7 @@ static int nft_ipv6_add(struct nftnl_rule *r, void *data)
                         &cs->fw6.ipv6.dst, &cs->fw6.ipv6.dmsk,
                         sizeof(struct in6_addr), op);
        }
-       add_compat(r, cs->fw6.ipv6.proto, cs->fw6.ipv6.invflags);
+       add_compat(r, cs->fw6.ipv6.proto, cs->fw6.ipv6.invflags & XT_INV_PROTO);
 
        for (matchp = cs->matches; matchp; matchp = matchp->next) {
                /* Use nft built-in comments support instead of comment match */

diff --git a/iptables/tests/shell/testcases/nft-only/0002invflags_0 b/iptables/tests/shell/testcases/nft-only/0002invflags_0
new file mode 100755 (executable)
index 0000000..406b608
--- /dev/null
+++ b/iptables/tests/shell/testcases/nft-only/0002invflags_0
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+set -e
+
+[[ $XT_MULTI == */xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; }
+
+$XT_MULTI iptables -A INPUT -p tcp --dport 53 ! -s 192.168.0.1 -j ACCEPT
+$XT_MULTI ip6tables -A INPUT -p tcp --dport 53 ! -s feed:babe::1 -j ACCEPT
+$XT_MULTI ebtables -A INPUT -p IPv4 --ip-src 10.0.0.1 ! -i lo -j ACCEPT
+