From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Fri, 9 Jun 2023 10:30:30 +0000 (+0200)
Subject: nft: use payload matching for layer 4 protocol
X-Git-Tag: v1.8.10~53
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=69278f9602b43df80821c55c21c0666f5c6f7e2f;p=thirdparty%2Fiptables.git

nft: use payload matching for layer 4 protocol

This is an IPv4 header, which does not require the special handling
as in IPv6, use the payload matching instead of meta l4proto which
is slightly faster in this case.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Phil Sutter <phil@nwl.cc>
---

diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index d67d8198..2a5d25d8 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -61,7 +61,8 @@ static int nft_ipv4_add(struct nft_handle *h, struct nftnl_rule *r,
 
 	if (cs->fw.ip.proto != 0) {
 		op = nft_invflags2cmp(cs->fw.ip.invflags, XT_INV_PROTO);
-		add_l4proto(h, r, cs->fw.ip.proto, op);
+		add_proto(h, r, offsetof(struct iphdr, protocol),
+			  sizeof(uint8_t), cs->fw.ip.proto, op);
 	}
 
 	if (cs->fw.ip.flags & IPT_F_FRAG) {