On Fri, Aug 22, 2014 at 11:16:31AM +0200, Giuseppe Longo wrote: > Currently the protocol is tested after the ip address, > this fixes the order testing the protocol before the ip address. > > Now the code generated is incorrect: > > ip filter INPUT 16 > [ payload load 4b @ network header + 12 => reg 1 ] > [ cmp eq reg 1 0x0100a8c0 ] > [ payload load 1b @ network header + 9 => reg 1 ] > [ cmp eq reg 1 0x00000006 ] > [ match name tcp rev 0 ] > [ match name conntrack rev 3 ] > [ counter pkts 0 bytes 0 ] > [ immediate reg 0 accept ] > > With this patch, the code generated is: > ip filter INPUT 16 > [ payload load 1b @ network header + 9 => reg 1 ] > [ cmp eq reg 1 0x00000006 ] > [ payload load 4b @ network header + 12 => reg 1 ] > [ cmp eq reg 1 0x0100a8c0 ] > [ bitwise reg 1 = (reg=1 & 0xffffffff ) ^ 0x00000000 ] > [ match name tcp rev 0 ] > [ match name conntrack rev 3 ] > [ counter pkts 0 bytes 0 ] > [ immediate reg 0 accept ] Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html