Re: [iptables PATCH] extensions: Fix checking of conntrack --ctproto 0

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Sep 14, 2023 at 09:29:36AM +0200, Phil Sutter wrote:
> From: Quentin Armitage <quentin@xxxxxxxxxxxxxxx>
> 
> There are three issues in the code:
> 1) the check (sinfo->invflags & XT_INV_PROTO) is using the wrong mask
> 2) in conntrack_mt_parse it is testing (info->invert_flags &
>    XT_INV_PROTO) before the invert bit has been set.
> 3) the sense of the error message is the wrong way round
> 
> 1) To get the error, ! -ctstatus XXX has to be specified, since
>    XT_INV_PROTO == XT_CONNTRACK_STATUS e.g.
>    | iptables -I CHAIN -m conntrack ! --ctstatus ASSURED --ctproto 0 ...
> 
> 3) Unlike --proto 0 (where 0 means all protocols), in the conntrack
>    match --ctproto 0 appears to mean protocol 0, which can never be.
>    Therefore --ctproto 0 could never match and ! --ctproto 0 will always
>    match. Both of these should be rejected, since the user clearly
>    cannot be intending what was specified.
> 
> The attached patch resolves the issue, and also produces an error
> message if --ctproto 0 is specified (as well as ! --ctproto 0 ), since
> --ctproto 0 will never match, and ! --ctproto 0 will always match.
> 
> [Phil: - Added Fixes: tag - it's a day 1 bug
>        - Copied patch description from Bugzilla
>        - Reorganized changes to reduce diff
>        - Added test cases]
> 
> Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=874
> Fixes: 5054e85be3068 ("general conntrack match module userspace support files")
> Signed-off-by: Quentin Armitage <quentin@xxxxxxxxxxxxxxx>
> Signed-off-by: Phil Sutter <phil@xxxxxx>

Patch applied.



[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux