[iptables PATCH] xtables: Don't pass full invflags to add_compat()

Phil Sutter <phil@xxxxxx> · Thu, 9 Aug 2018 18:06:56 +0200

The function expects a boolean, not a bitfield. This bug caused
inversion in another match to carry over to protocol match by accident.
The supplied testcase contains rules which then fail because they
contain matches requiring that protocol.

Fixes: 4ef77b6d1b52e ("xtables: fix missing protocol and invflags")
Fixes: 4143a08819a07 ("ebtables-compat: add nft rule compat information to bridge rules")
Signed-off-by: Phil Sutter <phil@xxxxxx>
---
 iptables/nft-bridge.c                                  |  2 +-
 iptables/nft-ipv4.c                                    |  2 +-
 iptables/nft-ipv6.c                                    |  2 +-
 iptables/tests/shell/testcases/nft-only/0002invflags_0 | 10 ++++++++++
 4 files changed, 13 insertions(+), 3 deletions(-)
 create mode 100755 iptables/tests/shell/testcases/nft-only/0002invflags_0

diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
index 386da8693b03a..7dcc0c1adc418 100644
--- a/iptables/nft-bridge.c
+++ b/iptables/nft-bridge.c
@@ -222,7 +222,7 @@ static int nft_bridge_add(struct nftnl_rule *r, void *data)
 		add_cmp_u16(r, fw->ethproto, op);
 	}
 
-	add_compat(r, fw->ethproto, fw->invflags);
+	add_compat(r, fw->ethproto, fw->invflags & EBT_IPROTO);
 
 	for (iter = cs->match_list; iter; iter = iter->next) {
 		if (iter->ismatch) {
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index 4446a3276a9fa..105b1341549fa 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -75,7 +75,7 @@ static int nft_ipv4_add(struct nftnl_rule *r, void *data)
 		add_cmp_u16(r, 0, op);
 	}
 
-	add_compat(r, cs->fw.ip.proto, cs->fw.ip.invflags);
+	add_compat(r, cs->fw.ip.proto, cs->fw.ip.invflags & XT_INV_PROTO);
 
 	for (matchp = cs->matches; matchp; matchp = matchp->next) {
 		/* Use nft built-in comments support instead of comment match */
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index dfdcc0515079d..dd23557c7e6c0 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -60,7 +60,7 @@ static int nft_ipv6_add(struct nftnl_rule *r, void *data)
 			 &cs->fw6.ipv6.dst, &cs->fw6.ipv6.dmsk,
 			 sizeof(struct in6_addr), op);
 	}
-	add_compat(r, cs->fw6.ipv6.proto, cs->fw6.ipv6.invflags);
+	add_compat(r, cs->fw6.ipv6.proto, cs->fw6.ipv6.invflags & XT_INV_PROTO);
 
 	for (matchp = cs->matches; matchp; matchp = matchp->next) {
 		/* Use nft built-in comments support instead of comment match */
diff --git a/iptables/tests/shell/testcases/nft-only/0002invflags_0 b/iptables/tests/shell/testcases/nft-only/0002invflags_0
new file mode 100755
index 0000000000000..406b6081a98a4
--- /dev/null
+++ b/iptables/tests/shell/testcases/nft-only/0002invflags_0
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+set -e
+
+[[ $XT_MULTI == */xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; }
+
+$XT_MULTI iptables -A INPUT -p tcp --dport 53 ! -s 192.168.0.1 -j ACCEPT
+$XT_MULTI ip6tables -A INPUT -p tcp --dport 53 ! -s feed:babe::1 -j ACCEPT
+$XT_MULTI ebtables -A INPUT -p IPv4 --ip-src 10.0.0.1 ! -i lo -j ACCEPT
+
-- 
2.18.0

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html







