From: Robin Geuze <robing@xxxxxxxxxx>
This fixes a bug in the Address Accept filter case where if you only
specify either addresses or masks it would never match, eg.
Filter From Usespace {
Address Accept {
IPv4_address 127.0.0.1
}
}
or
Filter From Usespace {
Address Accept {
IPv4_address 0.0.0.0/0
}
}
If lpm filter fails, fall back to hashtable lookup for exact matching.
If lpm filter succeeds, then depending on the policy, skip hashtable
lookup (in case policy is accept) or return mismatch (in case policy is
ignore).
Signed-off-by: Robin Geuze <robing@xxxxxxxxxx>
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
v2: simply previous version.
src/filter.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/src/filter.c b/src/filter.c
index 00a5e96ecc24..65771025308f 100644
--- a/src/filter.c
+++ b/src/filter.c
@@ -335,16 +335,22 @@ ct_filter_check(struct ct_filter *f, const struct nf_conntrack *ct)
switch(nfct_get_attr_u8(ct, ATTR_L3PROTO)) {
case AF_INET:
ret = vector_iterate(f->v, ct, __ct_filter_test_mask4);
- if (ret ^ f->logic[CT_FILTER_ADDRESS])
+ if (ret) {
+ if (f->logic[CT_FILTER_ADDRESS])
+ break;
return 0;
+ }
ret = __ct_filter_test_ipv4(f, ct);
if (ret ^ f->logic[CT_FILTER_ADDRESS])
return 0;
break;
case AF_INET6:
ret = vector_iterate(f->v6, ct, __ct_filter_test_mask6);
- if (ret ^ f->logic[CT_FILTER_ADDRESS])
+ if (ret) {
+ if (f->logic[CT_FILTER_ADDRESS])
+ break;
return 0;
+ }
ret = __ct_filter_test_ipv6(f, ct);
if (ret ^ f->logic[CT_FILTER_ADDRESS])
return 0;
--
2.11.0
