From: Robin Geuze <robing@xxxxxxxxxx>
This fixes a bug in the Address Accept filter case where if you only
specify either addresses or masks it would never match, eg.
Filter From Usespace {
Address Accept {
IPv4_address 127.0.0.1
}
}
or
Filter From Usespace {
Address Accept {
IPv4_address 0.0.0.0/0
}
}
Signed-off-by: Robin Geuze <robing@xxxxxxxxxx>
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
src/filter.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/src/filter.c b/src/filter.c
index 00a5e96ecc24..3c5ab6fc66f1 100644
--- a/src/filter.c
+++ b/src/filter.c
@@ -335,16 +335,24 @@ ct_filter_check(struct ct_filter *f, const struct nf_conntrack *ct)
switch(nfct_get_attr_u8(ct, ATTR_L3PROTO)) {
case AF_INET:
ret = vector_iterate(f->v, ct, __ct_filter_test_mask4);
- if (ret ^ f->logic[CT_FILTER_ADDRESS])
- return 0;
+ if (ret) {
+ if (f->logic[CT_FILTER_ADDRESS])
+ break;
+ else if (!f->logic[CT_FILTER_ADDRESS])
+ return 0;
+ }
ret = __ct_filter_test_ipv4(f, ct);
if (ret ^ f->logic[CT_FILTER_ADDRESS])
return 0;
break;
case AF_INET6:
ret = vector_iterate(f->v6, ct, __ct_filter_test_mask6);
- if (ret ^ f->logic[CT_FILTER_ADDRESS])
- return 0;
+ if (ret) {
+ if (f->logic[CT_FILTER_ADDRESS])
+ break;
+ else if (!f->logic[CT_FILTER_ADDRESS])
+ return 0;
+ }
ret = __ct_filter_test_ipv6(f, ct);
if (ret ^ f->logic[CT_FILTER_ADDRESS])
return 0;
--
2.11.0
