Re: [PATCH iptables] nft: fix interface comparisons in `-C` commands

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Nov 18, 2024 at 01:56:50PM +0000, Jeremy Sowden wrote:
> Commit 9ccae6397475 ("nft: Leave interface masks alone when parsing from
> kernel") removed code which explicitly set interface masks to all ones.  The
> result of this is that they are zero.  However, they are used to mask interfaces
> in `is_same_interfaces`.  Consequently, the masked values are alway zero, the
> comparisons are always true, and check commands which ought to fail succeed:
> 
>   # iptables -N test
>   # iptables -A test -i lo \! -o lo -j REJECT
>   # iptables -v -L test
>   Chain test (0 references)
>    pkts bytes target     prot opt in     out     source               destination
>       0     0 REJECT     all  --  lo     !lo     anywhere             anywhere             reject-with icmp-port-unreachable
>   # iptables -v -C test -i abcdefgh \! -o abcdefgh -j REJECT
>   REJECT  all opt -- in lo out !lo  0.0.0.0/0  -> 0.0.0.0/0   reject-with icmp-port-unreachable
> 
> Remove the mask parameters from `is_same_interfaces`.  Add a test-case.
> 
> Fixes: 9ccae6397475 ("nft: Leave interface masks alone when parsing from kernel")
> Signed-off-by: Jeremy Sowden <jeremy@xxxxxxxxxx>

This patch also fixes a rule ordering regression (same Fixes) that Phil
and I discovered last week. Thank you!

Tested-by: Eric Garver <eric@xxxxxxxxxxx>





[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux