On Mon, Nov 18, 2024 at 01:56:50PM +0000, Jeremy Sowden wrote: > Commit 9ccae6397475 ("nft: Leave interface masks alone when parsing from > kernel") removed code which explicitly set interface masks to all ones. The > result of this is that they are zero. However, they are used to mask interfaces > in `is_same_interfaces`. Consequently, the masked values are alway zero, the > comparisons are always true, and check commands which ought to fail succeed: > > # iptables -N test > # iptables -A test -i lo \! -o lo -j REJECT > # iptables -v -L test > Chain test (0 references) > pkts bytes target prot opt in out source destination > 0 0 REJECT all -- lo !lo anywhere anywhere reject-with icmp-port-unreachable > # iptables -v -C test -i abcdefgh \! -o abcdefgh -j REJECT > REJECT all opt -- in lo out !lo 0.0.0.0/0 -> 0.0.0.0/0 reject-with icmp-port-unreachable > > Remove the mask parameters from `is_same_interfaces`. Add a test-case. > > Fixes: 9ccae6397475 ("nft: Leave interface masks alone when parsing from kernel") > Signed-off-by: Jeremy Sowden <jeremy@xxxxxxxxxx> This patch also fixes a rule ordering regression (same Fixes) that Phil and I discovered last week. Thank you! Tested-by: Eric Garver <eric@xxxxxxxxxxx>