On Thu, Sep 14, 2023 at 09:29:36AM +0200, Phil Sutter wrote: > From: Quentin Armitage <quentin@xxxxxxxxxxxxxxx> > > There are three issues in the code: > 1) the check (sinfo->invflags & XT_INV_PROTO) is using the wrong mask > 2) in conntrack_mt_parse it is testing (info->invert_flags & > XT_INV_PROTO) before the invert bit has been set. > 3) the sense of the error message is the wrong way round > > 1) To get the error, ! -ctstatus XXX has to be specified, since > XT_INV_PROTO == XT_CONNTRACK_STATUS e.g. > | iptables -I CHAIN -m conntrack ! --ctstatus ASSURED --ctproto 0 ... > > 3) Unlike --proto 0 (where 0 means all protocols), in the conntrack > match --ctproto 0 appears to mean protocol 0, which can never be. > Therefore --ctproto 0 could never match and ! --ctproto 0 will always > match. Both of these should be rejected, since the user clearly > cannot be intending what was specified. > > The attached patch resolves the issue, and also produces an error > message if --ctproto 0 is specified (as well as ! --ctproto 0 ), since > --ctproto 0 will never match, and ! --ctproto 0 will always match. > > [Phil: - Added Fixes: tag - it's a day 1 bug > - Copied patch description from Bugzilla > - Reorganized changes to reduce diff > - Added test cases] > > Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=874 > Fixes: 5054e85be3068 ("general conntrack match module userspace support files") > Signed-off-by: Quentin Armitage <quentin@xxxxxxxxxxxxxxx> > Signed-off-by: Phil Sutter <phil@xxxxxx> Patch applied.
