Currently the protocol is tested after the ip address,
this fixes the order testing the protocol before the ip address.
Now the code generated is incorrect:
ip filter INPUT 16
[ payload load 4b @ network header + 12 => reg 1 ]
[ cmp eq reg 1 0x0100a8c0 ]
[ payload load 1b @ network header + 9 => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ match name tcp rev 0 ]
[ match name conntrack rev 3 ]
[ counter pkts 0 bytes 0 ]
[ immediate reg 0 accept ]
With this patch, the code generated is:
ip filter INPUT 16
[ payload load 1b @ network header + 9 => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ payload load 4b @ network header + 12 => reg 1 ]
[ cmp eq reg 1 0x0100a8c0 ]
[ bitwise reg 1 = (reg=1 & 0xffffffff ) ^ 0x00000000 ]
[ match name tcp rev 0 ]
[ match name conntrack rev 3 ]
[ counter pkts 0 bytes 0 ]
[ immediate reg 0 accept ]
Signed-off-by: Giuseppe Longo <giuseppelng@xxxxxxxxx>
---
iptables/nft-ipv4.c | 8 ++++----
iptables/nft-ipv6.c | 8 ++++----
2 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index 33bc581..70050ba 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -37,6 +37,10 @@ static int nft_ipv4_add(struct nft_rule *r, void *data)
if (cs->fw.ip.outiface[0] != '\0')
add_outiface(r, cs->fw.ip.outiface, cs->fw.ip.invflags);
+ if (cs->fw.ip.proto != 0)
+ add_proto(r, offsetof(struct iphdr, protocol), 1,
+ cs->fw.ip.proto, cs->fw.ip.invflags);
+
if (cs->fw.ip.src.s_addr != 0)
add_addr(r, offsetof(struct iphdr, saddr),
&cs->fw.ip.src.s_addr, 4, cs->fw.ip.invflags);
@@ -45,10 +49,6 @@ static int nft_ipv4_add(struct nft_rule *r, void *data)
add_addr(r, offsetof(struct iphdr, daddr),
&cs->fw.ip.dst.s_addr, 4, cs->fw.ip.invflags);
- if (cs->fw.ip.proto != 0)
- add_proto(r, offsetof(struct iphdr, protocol), 1,
- cs->fw.ip.proto, cs->fw.ip.invflags);
-
if (cs->fw.ip.flags & IPT_F_FRAG) {
add_payload(r, offsetof(struct iphdr, frag_off), 2);
/* get the 13 bits that contain the fragment offset */
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index 00f1bf8..52de5b6 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -34,6 +34,10 @@ static int nft_ipv6_add(struct nft_rule *r, void *data)
if (cs->fw6.ipv6.outiface[0] != '\0')
add_outiface(r, cs->fw6.ipv6.outiface, cs->fw6.ipv6.invflags);
+ if (cs->fw6.ipv6.proto != 0)
+ add_proto(r, offsetof(struct ip6_hdr, ip6_nxt), 1,
+ cs->fw6.ipv6.proto, cs->fw6.ipv6.invflags);
+
if (!IN6_IS_ADDR_UNSPECIFIED(&cs->fw6.ipv6.src))
add_addr(r, offsetof(struct ip6_hdr, ip6_src),
&cs->fw6.ipv6.src, 16, cs->fw6.ipv6.invflags);
@@ -42,10 +46,6 @@ static int nft_ipv6_add(struct nft_rule *r, void *data)
add_addr(r, offsetof(struct ip6_hdr, ip6_dst),
&cs->fw6.ipv6.dst, 16, cs->fw6.ipv6.invflags);
- if (cs->fw6.ipv6.proto != 0)
- add_proto(r, offsetof(struct ip6_hdr, ip6_nxt), 1,
- cs->fw6.ipv6.proto, cs->fw6.ipv6.invflags);
-
add_compat(r, cs->fw6.ipv6.proto, cs->fw6.ipv6.invflags);
for (matchp = cs->matches; matchp; matchp = matchp->next) {
--
1.8.3.2
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
