reg is populated based off the payload base: NFTNL_EXPR_META_KEY = NFTNL_EXPR_BASE, NFTNL_EXPR_META_DREG, NFTNL_EXPR_PAYLOAD_DREG = NFTNL_EXPR_BASE, Fix this. It worked because the simple nft rules currently generated via ipables-nft have base == register-number but this is a coincidence. Signed-off-by: Florian Westphal <fw@xxxxxxxxx> --- iptables/nft-shared.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c index b281ba2987cc..4394e8b7c4e8 100644 --- a/iptables/nft-shared.c +++ b/iptables/nft-shared.c @@ -443,7 +443,7 @@ static void nft_parse_payload(struct nft_xt_ctx *ctx, struct nftnl_expr *e) ctx->flags |= NFT_XT_CTX_PREV_PAYLOAD; } - ctx->reg = nftnl_expr_get_u32(e, NFTNL_EXPR_META_DREG); + ctx->reg = nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_DREG); ctx->payload.base = nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_BASE); ctx->payload.offset = nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_OFFSET); ctx->payload.len = nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_LEN); -- 2.33.1
