The checks were wrong: nft_arp_init_cs() initializes masks to 65535, not
0. This went on unnoticed because nft_arp_add() does it right and
init_cs callback was not used in e.g. nft_arp_print_rule(). The last
patch adding init_cs() calls in potentially required spots exposed this
though.
Fixes: 84909d171585d ("xtables: bootstrap ARP compatibility layer for nftables")
Signed-off-by: Phil Sutter <phil@xxxxxx>
---
iptables/nft-arp.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
index 2784f12ae33a9..c73833270f0e8 100644
--- a/iptables/nft-arp.c
+++ b/iptables/nft-arp.c
@@ -299,7 +299,8 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs,
sep = " ";
}
- if (fw->arp.arpop_mask != 0) {
+ if (fw->arp.arpop_mask != 65535 || fw->arp.arpop != 0 ||
+ fw->arp.invflags & IPT_INV_ARPOP) {
int tmp = ntohs(fw->arp.arpop);
printf("%s%s", sep, fw->arp.invflags & IPT_INV_ARPOP
@@ -329,7 +330,8 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs,
sep = " ";
}
- if (fw->arp.arpro_mask != 0) {
+ if (fw->arp.arpro_mask != 65535 || fw->arp.arpro != 0 ||
+ fw->arp.invflags & IPT_INV_PROTO) {
int tmp = ntohs(fw->arp.arpro);
printf("%s%s", sep, fw->arp.invflags & IPT_INV_PROTO
--
2.43.0
