The following rule:
ip protocol tcp counter packets 0 bytes 0 tcp dport ssh accept
is build in byte code as:
ip test filter
[ payload load 1b @ network header + 9 => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ counter pkts 0 bytes 0 ]
[ payload load 2b @ transport header + 2 => reg 1 ]
[ cmp eq reg 1 0x00001600 ]
[ immediate reg 0 accept ]
But the simplication process is reverting it to:
counter tcp dport ssh accept
Which is different rule.
This patch is fixing the issue by resetting the dependency when we
are seeing a counter statement.
Signed-off-by: Eric Leblond <eric@xxxxxxxxx>
---
src/netlink_delinearize.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 387bb67..181942b 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -770,6 +770,12 @@ static void payload_dependency_store(struct rule_pp_ctx *ctx,
ctx->pdep = stmt;
}
+static void payload_dependency_reset(struct rule_pp_ctx *ctx)
+{
+ ctx->pbase = PROTO_BASE_INVALID;
+ ctx->pdep = NULL;
+}
+
static void integer_type_postprocess(struct expr *expr)
{
struct expr *i;
@@ -1137,6 +1143,9 @@ static void rule_parse_postprocess(struct netlink_parse_ctx *ctx, struct rule *r
case STMT_REJECT:
stmt_reject_postprocess(rctx, stmt);
break;
+ case STMT_COUNTER:
+ payload_dependency_reset(&rctx);
+ break;
default:
break;
}
--
2.1.4
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
