Each address in the filter is matched one 32-bit word at a time. If any of the first three words don't match, we jump to the end of the filter. If the last word does match, we jump to the end of the filter. However, this is not right: it means that if any of the first three words of an address don't match, all subsequent addresses will be skipped. Instead, jump to the next address. Fix formatting of `nfct_bsf_cmp_k_stack`. Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=690676 Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1062 Fixes: dd73e5708cc2 ("bsf: add support for IPv6 address filtering") Signed-off-by: Jeremy Sowden <jeremy@xxxxxxxxxx> --- src/conntrack/bsf.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/conntrack/bsf.c b/src/conntrack/bsf.c index 35cc8b7690c0..48fd4fafbc3e 100644 --- a/src/conntrack/bsf.c +++ b/src/conntrack/bsf.c @@ -163,7 +163,7 @@ struct jump { static int nfct_bsf_cmp_k_stack(struct sock_filter *this, int k, - int jump_true, int pos, struct stack *s) + int jump_true, int pos, struct stack *s) { struct sock_filter __code = { .code = BPF_JMP|BPF_JEQ|BPF_K, @@ -640,8 +640,8 @@ bsf_add_addr_ipv6_filter(const struct nfct_filter *f, j); if (k < 3) { j += nfct_bsf_cmp_k_stack_jf(this, ip, - jf - j - 1, - j, s); + (3 - k) * 3 + 1, + j, s); } else { /* last word: jump if true */ j += nfct_bsf_cmp_k_stack(this, ip, jf - j, @@ -655,7 +655,7 @@ bsf_add_addr_ipv6_filter(const struct nfct_filter *f, this[jmp.line].jt += jmp.jt + j; } if (jmp.jf) { - this[jmp.line].jf += jmp.jf + j; + this[jmp.line].jf += jmp.jf; } } -- 2.40.1
