It's actually nonsense since it will never match, but iptables accepts
it and the resulting nftables rule must behave identically. Reuse the
solution implemented into xtables-translate (by commit e179e87a1179e)
and turn the above match into 'iifname INVAL/D'.
The commit this fixes merely ignored the fact that "any interface" match
might be inverted.
Fixes: 0a8635183edd0 ("xtables-compat: ignore '+' interface name")
Signed-off-by: Phil Sutter <phil@xxxxxx>
---
iptables/nft-shared.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index e812a9bcae466..bcb6ada34e0fb 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -168,6 +168,9 @@ void add_iniface(struct nft_handle *h, struct nftnl_rule *r,
if (iface[iface_len - 1] == '+') {
if (iface_len > 1)
add_cmp_ptr(r, op, iface, iface_len - 1, reg);
+ else if (op != NFT_CMP_EQ)
+ add_cmp_ptr(r, NFT_CMP_EQ, "INVAL/D",
+ strlen("INVAL/D") + 1, reg);
} else {
add_cmp_ptr(r, op, iface, iface_len + 1, reg);
}
@@ -185,6 +188,9 @@ void add_outiface(struct nft_handle *h, struct nftnl_rule *r,
if (iface[iface_len - 1] == '+') {
if (iface_len > 1)
add_cmp_ptr(r, op, iface, iface_len - 1, reg);
+ else if (op != NFT_CMP_EQ)
+ add_cmp_ptr(r, NFT_CMP_EQ, "INVAL/D",
+ strlen("INVAL/D") + 1, reg);
} else {
add_cmp_ptr(r, op, iface, iface_len + 1, reg);
}
--
2.38.0
