On Sat, Aug 30, 2014 at 01:17:15PM +0800, Yanchuan Nian wrote:
> The protocol expression that should be killed when payload parsing
> isn't the first one but the last one. Look at the result of this command:
That patch is competely wrong. Have you actually tested any other case?
You're simply not killing any payload dependency anymore.
The correct fix is to check for OP_NEQ and deciding not to kill it based
on that.
>
> nft> add rule ip filter input ip protocol != tcp tcp sport 80 drop
> nft> list table ip filter
> table ip filter {
> chain input {
> type filter hook input priority 0;
> ip protocol tcp tcp sport http drop
> }
> }
> nft>
>
> With this patch, the result is:
> nft> add rule ip filter input ip protocol != tcp tcp sport 80 drop
> nft> list table ip filter
> table ip filter {
> chain input {
> type filter hook input priority 0;
> ip protocol != tcp tcp sport http drop
> }
> }
> nft>
>
> Signed-off-by: Yanchuan Nian <ycnian@xxxxxxxxx>
> ---
> src/netlink_delinearize.c | 5 ++---
> 1 file changed, 2 insertions(+), 3 deletions(-)
>
> diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
> index 195d432..322c7cc 100644
> --- a/src/netlink_delinearize.c
> +++ b/src/netlink_delinearize.c
> @@ -671,12 +671,11 @@ static void payload_match_postprocess(struct rule_pp_ctx *ctx,
> nstmt = expr_stmt_alloc(&stmt->location, nexpr);
> list_add_tail(&nstmt->list, &stmt->list);
>
> - /* Remember the first payload protocol expression to
> + /* Remember the last payload protocol expression to
> * kill it later on if made redundant by a higher layer
> * payload expression.
> */
> - if (ctx->pbase == PROTO_BASE_INVALID &&
> - left->flags & EXPR_F_PROTOCOL)
> + if (left->flags & EXPR_F_PROTOCOL)
> payload_dependency_store(ctx, nstmt,
> left->payload.base);
> else
> --
> 1.9.3
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
