[PATCH] Byte order problem in libxt_conntrack.c

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Using iptables 4.4.11.1, the following input:

-A lan-dmz -p 6 --dport 80 -m conntrack --ctorigdstport 8080 -d 70.90.191.125 -m conntrack --ctorigdst 172.20.1.254 -j ACCEPT

Results in this:

Chain lan-dmz (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            70.90.191.125        tcp dpt:80 ctorigdstport 36895 ctorigdst 172.20.1.254

Note that 8080 == 0x1f90 while 36895 == 0x901f.

The attached patch seems to resolve the issue.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


--- extensions/libxt_conntrack.c.orig	2011-06-08 06:26:17.000000000 -0700
+++ extensions/libxt_conntrack.c	2011-07-06 15:22:03.000000000 -0700
@@ -130,13 +130,13 @@
 	{.name = "ctexpire", .id = O_CTEXPIRE, .type = XTTYPE_UINT32RC,
 	 .flags = XTOPT_INVERT},
 	{.name = "ctorigsrcport", .id = O_CTORIGSRCPORT, .type = XTTYPE_PORTRC,
-	 .flags = XTOPT_INVERT},
+	 .flags = XTOPT_INVERT|XTOPT_NBO},
 	{.name = "ctorigdstport", .id = O_CTORIGDSTPORT, .type = XTTYPE_PORTRC,
-	 .flags = XTOPT_INVERT},
+	 .flags = XTOPT_INVERT|XTOPT_NBO},
 	{.name = "ctreplsrcport", .id = O_CTREPLSRCPORT, .type = XTTYPE_PORTRC,
-	 .flags = XTOPT_INVERT},
+	 .flags = XTOPT_INVERT|XTOPT_NBO},
 	{.name = "ctrepldstport", .id = O_CTREPLDSTPORT, .type = XTTYPE_PORTRC,
-	 .flags = XTOPT_INVERT},
+	 .flags = XTOPT_INVERT|XTOPT_NBO},
 	{.name = "ctdir", .id = O_CTDIR, .type = XTTYPE_STRING},
 	XTOPT_TABLEEND,
 };

Attachment: signature.asc
Description: This is a digitally signed message part

[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux