This is consistent with legacy ebtables, also avoids invalid
combinations like '-p IPv6 --ip-source 1.2.3.4'.
Signed-off-by: Phil Sutter <phil@xxxxxx>
---
iptables/nft-bridge.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
index 83cbe31559d4b..b9983b203f6d0 100644
--- a/iptables/nft-bridge.c
+++ b/iptables/nft-bridge.c
@@ -104,11 +104,18 @@ static int
nft_bridge_add_match(struct nft_handle *h, const struct ebt_entry *fw,
struct nftnl_rule *r, struct xt_entry_match *m)
{
- if (!strcmp(m->u.user.name, "802_3") &&
- !(fw->bitmask & EBT_802_3))
+ if (!strcmp(m->u.user.name, "802_3") && !(fw->bitmask & EBT_802_3))
xtables_error(PARAMETER_PROBLEM,
"For 802.3 DSAP/SSAP filtering the protocol must be LENGTH");
+ if (!strcmp(m->u.user.name, "ip") && fw->ethproto != htons(ETH_P_IP))
+ xtables_error(PARAMETER_PROBLEM,
+ "For IP filtering the protocol must be specified as IPv4.");
+
+ if (!strcmp(m->u.user.name, "ip6") && fw->ethproto != htons(ETH_P_IPV6))
+ xtables_error(PARAMETER_PROBLEM,
+ "For IPv6 filtering the protocol must be specified as IPv6.");
+
return add_match(h, r, m);
}
--
2.38.0
