Currently the protocol is tested after the ip address, this fixes the order testing the protocol before the ip address. Now the code generated is incorrect: ip filter INPUT 16 [ payload load 4b @ network header + 12 => reg 1 ] [ cmp eq reg 1 0x0100a8c0 ] [ payload load 1b @ network header + 9 => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ match name tcp rev 0 ] [ match name conntrack rev 3 ] [ counter pkts 0 bytes 0 ] [ immediate reg 0 accept ] With this patch, the code generated is: ip filter INPUT 16 [ payload load 1b @ network header + 9 => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ payload load 4b @ network header + 12 => reg 1 ] [ cmp eq reg 1 0x0100a8c0 ] [ bitwise reg 1 = (reg=1 & 0xffffffff ) ^ 0x00000000 ] [ match name tcp rev 0 ] [ match name conntrack rev 3 ] [ counter pkts 0 bytes 0 ] [ immediate reg 0 accept ] Signed-off-by: Giuseppe Longo <giuseppelng@xxxxxxxxx> --- iptables/nft-ipv4.c | 8 ++++---- iptables/nft-ipv6.c | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c index 33bc581..70050ba 100644 --- a/iptables/nft-ipv4.c +++ b/iptables/nft-ipv4.c @@ -37,6 +37,10 @@ static int nft_ipv4_add(struct nft_rule *r, void *data) if (cs->fw.ip.outiface[0] != '\0') add_outiface(r, cs->fw.ip.outiface, cs->fw.ip.invflags); + if (cs->fw.ip.proto != 0) + add_proto(r, offsetof(struct iphdr, protocol), 1, + cs->fw.ip.proto, cs->fw.ip.invflags); + if (cs->fw.ip.src.s_addr != 0) add_addr(r, offsetof(struct iphdr, saddr), &cs->fw.ip.src.s_addr, 4, cs->fw.ip.invflags); @@ -45,10 +49,6 @@ static int nft_ipv4_add(struct nft_rule *r, void *data) add_addr(r, offsetof(struct iphdr, daddr), &cs->fw.ip.dst.s_addr, 4, cs->fw.ip.invflags); - if (cs->fw.ip.proto != 0) - add_proto(r, offsetof(struct iphdr, protocol), 1, - cs->fw.ip.proto, cs->fw.ip.invflags); - if (cs->fw.ip.flags & IPT_F_FRAG) { add_payload(r, offsetof(struct iphdr, frag_off), 2); /* get the 13 bits that contain the fragment offset */ diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c index 00f1bf8..52de5b6 100644 --- a/iptables/nft-ipv6.c +++ b/iptables/nft-ipv6.c @@ -34,6 +34,10 @@ static int nft_ipv6_add(struct nft_rule *r, void *data) if (cs->fw6.ipv6.outiface[0] != '\0') add_outiface(r, cs->fw6.ipv6.outiface, cs->fw6.ipv6.invflags); + if (cs->fw6.ipv6.proto != 0) + add_proto(r, offsetof(struct ip6_hdr, ip6_nxt), 1, + cs->fw6.ipv6.proto, cs->fw6.ipv6.invflags); + if (!IN6_IS_ADDR_UNSPECIFIED(&cs->fw6.ipv6.src)) add_addr(r, offsetof(struct ip6_hdr, ip6_src), &cs->fw6.ipv6.src, 16, cs->fw6.ipv6.invflags); @@ -42,10 +46,6 @@ static int nft_ipv6_add(struct nft_rule *r, void *data) add_addr(r, offsetof(struct ip6_hdr, ip6_dst), &cs->fw6.ipv6.dst, 16, cs->fw6.ipv6.invflags); - if (cs->fw6.ipv6.proto != 0) - add_proto(r, offsetof(struct ip6_hdr, ip6_nxt), 1, - cs->fw6.ipv6.proto, cs->fw6.ipv6.invflags); - add_compat(r, cs->fw6.ipv6.proto, cs->fw6.ipv6.invflags); for (matchp = cs->matches; matchp; matchp = matchp->next) { -- 1.8.3.2 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html