xtables: fix missing protocol and invflags

xtables -I INPUT -p tcp --dport 22 -j ACCEPT
iptables: Target problem. Run `dmesg' for more information
x_tables: ip_tables: tcp match: only valid for protocol

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index ac2b27b..0a60124 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -60,6 +60,8 @@
 		add_cmp_u16(r, 0, op);
 	}
 
+	add_compat(r, cs->fw.ip.proto, cs->fw.ip.invflags);
+
 	return cs->fw.ip.flags;
 }
 
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index a2e8030..65a8949 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -42,6 +42,8 @@
 		add_proto(r, offsetof(struct ip6_hdr, ip6_nxt), 1,
 			  cs->fw6.ipv6.proto, cs->fw6.ipv6.invflags);
 
+	add_compat(r, cs->fw6.ipv6.proto, cs->fw6.ipv6.invflags);
+
 	return cs->fw6.ipv6.flags;
 }
 
diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index f55d6f6..b301d41 100644
--- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h
@@ -63,6 +63,7 @@
 	      void *data, size_t len, int invflags);
 void add_proto(struct nft_rule *r, int offset, size_t len,
 	       uint32_t proto, int invflags);
+void add_compat(struct nft_rule *r, uint32_t proto, bool inv);
 
 bool is_same_interfaces(const char *a_iniface, const char *a_outiface,
 			unsigned const char *a_iniface_mask,
diff --git a/iptables/nft.c b/iptables/nft.c
index f39f407..e55c18c 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -664,7 +664,7 @@
 	nft_rule_add_expr(r, expr);
 }
 
-static void add_compat(struct nft_rule *r, uint32_t proto, bool inv)
+void add_compat(struct nft_rule *r, uint32_t proto, bool inv)
 {
 	nft_rule_attr_set_u32(r, NFT_RULE_ATTR_COMPAT_PROTO, proto);
 	nft_rule_attr_set_u32(r, NFT_RULE_ATTR_COMPAT_FLAGS,