Hi Phil,
Does this patch look okay?
Thanks,
Sriram
On Wed, Mar 13, 2024 at 2:38 PM Sriram Rajagopalan <bglsriram@xxxxxxxxx> wrote:
>
> From: Sriram Rajagopalan <bglsriram@xxxxxxxxx>
> Date: Wed, 13 Mar 2024 02:04:37 -0700
> Subject: [PATCH] iptables: Fixed the issue with combining the payload in case
> of invert filter for tcp src and dst ports
>
> Signed-off-by: Sriram Rajagopalan <sriramr@xxxxxxxxxx>
> Acked-by: Phil Sutter <phil@xxxxxx>
> ---
> iptables/nft.c | 6 ++----
> 1 file changed, 2 insertions(+), 4 deletions(-)
>
> diff --git a/iptables/nft.c b/iptables/nft.c
> index ee63c3dc..884cc77e 100644
> --- a/iptables/nft.c
> +++ b/iptables/nft.c
> @@ -1307,14 +1307,12 @@ static int add_nft_tcpudp(struct nft_handle
> *h,struct nftnl_rule *r,
> uint8_t reg;
> int ret;
>
> - if (src[0] && src[0] == src[1] &&
> + if (!invert_src &&
> + src[0] && src[0] == src[1] &&
> dst[0] && dst[0] == dst[1] &&
> invert_src == invert_dst) {
> uint32_t combined = dst[0] | (src[0] << 16);
>
> - if (invert_src)
> - op = NFT_CMP_NEQ;
> -
> expr = gen_payload(h, NFT_PAYLOAD_TRANSPORT_HEADER, 0, 4, ®);
> if (!expr)
> return -ENOMEM;
> --
> 2.41.0
