Setting this bit in cs->fw6.ipv6.flags was done only for rules parsed from command line, not for those read from kernel. As a result, appropriate rules could not be deleted. A simple test case is: | # ip6tables-nft -A INPUT -p tcp -j ACCEPT | # ip6tables-nft -D INPUT -p tcp -j ACCEPT | iptables: Bad rule (does a matching rule exist in that chain?). Since the flag is not used anywhere in xtables, dropping its use fixes the bug as well as setting it in both cases. Fixes: 5ee03e6df4172 ("xtables: Use meta l4proto for -p match") Signed-off-by: Phil Sutter <phil@xxxxxx> --- iptables/nft-ipv6.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c index 48a7cefe023bc..b1b20ba18d868 100644 --- a/iptables/nft-ipv6.c +++ b/iptables/nft-ipv6.c @@ -171,7 +171,6 @@ static void nft_ipv6_parse_payload(struct nft_xt_ctx *ctx, break; case offsetof(struct ip6_hdr, ip6_nxt): get_cmp_data(e, &proto, sizeof(proto), &inv); - cs->fw6.ipv6.flags |= IP6T_F_PROTO; cs->fw6.ipv6.proto = proto; if (inv) cs->fw6.ipv6.invflags |= IP6T_INV_PROTO; @@ -325,9 +324,6 @@ static void nft_ipv6_proto_parse(struct iptables_command_state *cs, static void nft_ipv6_post_parse(int command, struct iptables_command_state *cs, struct xtables_args *args) { - if (args->proto != 0) - args->flags |= IP6T_F_PROTO; - cs->fw6.ipv6.flags = args->flags; /* We already set invflags in proto_parse, but we need to refresh it * to include new parsed options. -- 2.18.0