Discussion of commit ee87ad419e9a0 ("extensions: libebt_stp: fix range
checking") motivated me to check parser behaviour with ranges, including
some corner cases:
* Negative ranges (e.g. 4:3) are supposed to be rejected
* Ranges may be (half) open, e.g. ":10", "5:" or just ":"
* Ranges may be single element size (e.g. "4:4")
* Full ranges are NOPs aside from the constraints implied by invoking
the match itself
* Inverted full ranges never match and therefore must at least remain in
place (code sometimes treated them like non-inverted ones)
First patch in this series bulk-adds test cases to record the status
quo, following patches fix behaviour either by implementing checks into
libxtables (in patches 2, 3 and 12) or fixing up extensions. Patch 10 is
an exception, it fixes for inverted full ranges when generating native
payload matches for tcp/udp extensions.
Phil Sutter (12):
extensions: *.t/*.txlate: Test range corner-cases
libxtables: xtoptions: Assert ranges are monotonic increasing
libxtables: Reject negative port ranges
extensions: ah: Save/xlate inverted full ranges
extensions: frag: Save/xlate inverted full ranges
extensions: mh: Save/xlate inverted full ranges
extensions: rt: Save/xlate inverted full ranges
extensions: esp: Save/xlate inverted full ranges
extensions: ipcomp: Save inverted full ranges
nft: Do not omit full ranges if inverted
extensions: tcp/udp: Save/xlate inverted full ranges
libxtables: xtoptions: Respect min/max values when completing ranges
extensions/libebt_ip.t | 12 +++++++++
extensions/libebt_ip6.t | 12 +++++++++
extensions/libebt_stp.c | 21 +++++++--------
extensions/libebt_stp.t | 45 +++++++++++++++++++++++++++++++
extensions/libip6t_ah.c | 22 +++++++++-------
extensions/libip6t_ah.t | 6 +++++
extensions/libip6t_ah.txlate | 6 +++++
extensions/libip6t_frag.c | 27 ++++++++++++-------
extensions/libip6t_frag.t | 6 +++++
extensions/libip6t_frag.txlate | 6 +++++
extensions/libip6t_mh.c | 20 +++++++++++---
extensions/libip6t_mh.t | 6 +++++
extensions/libip6t_mh.txlate | 9 +++++++
extensions/libip6t_rt.c | 28 ++++++++++++++------
extensions/libip6t_rt.t | 6 +++++
extensions/libip6t_rt.txlate | 9 +++++++
extensions/libipt_ah.c | 22 ++++++++++------
extensions/libipt_ah.t | 6 +++++
extensions/libipt_ah.txlate | 6 +++++
extensions/libxt_NFQUEUE.t | 7 +++++
extensions/libxt_connbytes.c | 4 ---
extensions/libxt_connbytes.t | 6 +++++
extensions/libxt_conntrack.t | 26 ++++++++++++++++++
extensions/libxt_dccp.t | 10 +++++++
extensions/libxt_esp.c | 26 ++++++++++++------
extensions/libxt_esp.t | 7 +++++
extensions/libxt_esp.txlate | 12 +++++++++
extensions/libxt_ipcomp.c | 7 ++---
extensions/libxt_ipcomp.t | 7 +++++
extensions/libxt_length.t | 3 +++
extensions/libxt_tcp.c | 48 +++++++++++++++++++++-------------
extensions/libxt_tcp.t | 12 +++++++++
extensions/libxt_tcp.txlate | 6 +++++
extensions/libxt_tcpmss.t | 4 +++
extensions/libxt_udp.c | 43 ++++++++++++++++++------------
extensions/libxt_udp.t | 12 +++++++++
extensions/libxt_udp.txlate | 6 +++++
iptables/nft.c | 4 +--
libxtables/xtoptions.c | 23 +++++++++++-----
39 files changed, 439 insertions(+), 109 deletions(-)
--
2.43.0
