xtables: fix -p protocol

The protocol field in both IPv4 and IPv6 headers are 8 bits long,
so we have to compare 8 bits.

Reported-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index c368f40b6e1cc4b62fc95348eea7726136ea6de0..c0ee4c8a832066908850cd0ed38c5a6af52a23ac 100644 (file)
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -91,6 +91,11 @@ void add_cmp_ptr(struct nft_rule *r, uint32_t op, void *data, size_t len)
        nft_rule_add_expr(r, expr);
 }
 
+void add_cmp_u8(struct nft_rule *r, uint8_t val, uint32_t op)
+{
+       add_cmp_ptr(r, op, &val, sizeof(val));
+}
+
 void add_cmp_u16(struct nft_rule *r, uint16_t val, uint32_t op)
 {
        add_cmp_ptr(r, op, &val, sizeof(val));
@@ -159,7 +164,7 @@ void add_addr(struct nft_rule *r, int offset,
 }
 
 void add_proto(struct nft_rule *r, int offset, size_t len,
-              uint32_t proto, int invflags)
+              uint8_t proto, int invflags)
 {
        uint32_t op;
 
@@ -170,7 +175,7 @@ void add_proto(struct nft_rule *r, int offset, size_t len,
        else
                op = NFT_CMP_EQ;
 
-       add_cmp_u32(r, proto, op);
+       add_cmp_u8(r, proto, op);
 }
 
 bool is_same_interfaces(const char *a_iniface, const char *a_outiface,

diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index 59734d9de4fd591dcf9119c7b7b8b677254cc5be..c59ab21aaba67db4aacaf09e203cd4650323780b 100644 (file)
--- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h
@@ -59,6 +59,7 @@ void add_meta(struct nft_rule *r, uint32_t key);
 void add_payload(struct nft_rule *r, int offset, int len);
 void add_bitwise_u16(struct nft_rule *r, int mask, int xor);
 void add_cmp_ptr(struct nft_rule *r, uint32_t op, void *data, size_t len);
+void add_cmp_u8(struct nft_rule *r, uint8_t val, uint32_t op);
 void add_cmp_u16(struct nft_rule *r, uint16_t val, uint32_t op);
 void add_cmp_u32(struct nft_rule *r, uint32_t val, uint32_t op);
 void add_iniface(struct nft_rule *r, char *iface, int invflags);
@@ -66,7 +67,7 @@ void add_outiface(struct nft_rule *r, char *iface, int invflags);
 void add_addr(struct nft_rule *r, int offset,
              void *data, size_t len, int invflags);
 void add_proto(struct nft_rule *r, int offset, size_t len,
-              uint32_t proto, int invflags);
+              uint8_t proto, int invflags);
 void add_compat(struct nft_rule *r, uint32_t proto, bool inv);
 
 bool is_same_interfaces(const char *a_iniface, const char *a_outiface,