From: Phil Sutter <phil@nwl.cc>
Date: Sat, 27 Jul 2024 07:12:34 +0000 (+0200)
Subject: arptables: Fix conditional opcode/proto-type printing
X-Git-Tag: v1.8.11~40
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=25d4d341af5972b5560b31fa5dea72de057cb430;p=thirdparty%2Fiptables.git

arptables: Fix conditional opcode/proto-type printing

The checks were wrong: nft_arp_init_cs() initializes masks to 65535, not
0. This went on unnoticed because nft_arp_add() does it right and
init_cs callback was not used in e.g. nft_arp_print_rule(). The last
patch adding init_cs() calls in potentially required spots exposed this
though.

Fixes: 84909d171585d ("xtables: bootstrap ARP compatibility layer for nftables")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---

diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
index 2784f12a..c7383327 100644
--- a/iptables/nft-arp.c
+++ b/iptables/nft-arp.c
@@ -299,7 +299,8 @@ after_devdst:
 		sep = " ";
 	}
 
-	if (fw->arp.arpop_mask != 0) {
+	if (fw->arp.arpop_mask != 65535 || fw->arp.arpop != 0 ||
+	    fw->arp.invflags & IPT_INV_ARPOP) {
 		int tmp = ntohs(fw->arp.arpop);
 
 		printf("%s%s", sep, fw->arp.invflags & IPT_INV_ARPOP
@@ -329,7 +330,8 @@ after_devdst:
 		sep = " ";
 	}
 
-	if (fw->arp.arpro_mask != 0) {
+	if (fw->arp.arpro_mask != 65535 || fw->arp.arpro != 0 ||
+	    fw->arp.invflags & IPT_INV_PROTO) {
 		int tmp = ntohs(fw->arp.arpro);
 
 		printf("%s%s", sep, fw->arp.invflags & IPT_INV_PROTO