On Fri, Sep 20, 2019 at 11:30:20AM +0200, Phil Sutter wrote:
> Type used for 'mask' and 'xor' parameters was wrong, 'int' is four bytes
> on 32 or 64 bit architectures. After casting a uint16_t to int, on Big
> Endian the first two bytes of data are (the leading) zero which libnftnl
> then copies instead of the actual value.
>
> This problem was noticed when using '--fragment' option:
>
> | # iptables-nft -A FORWARD --fragment -j ACCEPT
> | # nft list ruleset | grep frag-off
> | ip frag-off & 0 != 0 counter packets 0 bytes 0 accept
>
> With this fix in place, the resulting nft rule is correct:
>
> | ip frag-off & 8191 != 0 counter packets 0 bytes 0 accept
>
> Fixes: 2f1fbab671576 ("iptables: nft: add -f support")
> Signed-off-by: Phil Sutter <p...@nwl.cc>
Acked-by: Pablo Neira Ayuso <pa...@netfilter.org>
