Re: [iptables PATCH 00/12] Range value related fixes/improvements

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Fri, Feb 02, 2024 at 02:52:55PM +0100, Phil Sutter wrote:
> Discussion of commit ee87ad419e9a0 ("extensions: libebt_stp: fix range
> checking") motivated me to check parser behaviour with ranges, including
> some corner cases:
> * Negative ranges (e.g. 4:3) are supposed to be rejected
> * Ranges may be (half) open, e.g. ":10", "5:" or just ":"
> * Ranges may be single element size (e.g. "4:4")
> * Full ranges are NOPs aside from the constraints implied by invoking
>   the match itself
> * Inverted full ranges never match and therefore must at least remain in
>   place (code sometimes treated them like non-inverted ones)
> First patch in this series bulk-adds test cases to record the status
> quo, following patches fix behaviour either by implementing checks into
> libxtables (in patches 2, 3 and 12) or fixing up extensions. Patch 10 is
> an exception, it fixes for inverted full ranges when generating native
> payload matches for tcp/udp extensions.
> Phil Sutter (12):
>   extensions: *.t/*.txlate: Test range corner-cases
>   libxtables: xtoptions: Assert ranges are monotonic increasing
>   libxtables: Reject negative port ranges
>   extensions: ah: Save/xlate inverted full ranges
>   extensions: frag: Save/xlate inverted full ranges
>   extensions: mh: Save/xlate inverted full ranges
>   extensions: rt: Save/xlate inverted full ranges
>   extensions: esp: Save/xlate inverted full ranges
>   extensions: ipcomp: Save inverted full ranges
>   nft: Do not omit full ranges if inverted
>   extensions: tcp/udp: Save/xlate inverted full ranges
>   libxtables: xtoptions: Respect min/max values when completing ranges

Series applied.

[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux