On Tue, Nov 19, 2024 at 10:34:10PM +0000, Jeremy Sowden wrote:
> On 2024-11-19, at 23:03:24 +0100, Phil Sutter wrote:
> > From: Jeremy Sowden <jeremy@xxxxxxxxxx>
> >
> > Commit 9ccae6397475 ("nft: Leave interface masks alone when parsing from
> > kernel") removed code which explicitly set interface masks to all ones. The
> > result of this is that they are zero. However, they are used to mask interfaces
> > in `is_same_interfaces`. Consequently, the masked values are alway zero, the
> > comparisons are always true, and check commands which ought to fail succeed:
> >
> > # iptables -N test
> > # iptables -A test -i lo \! -o lo -j REJECT
> > # iptables -v -L test
> > Chain test (0 references)
> > pkts bytes target prot opt in out source destination
> > 0 0 REJECT all -- lo !lo anywhere anywhere reject-with icmp-port-unreachable
> > # iptables -v -C test -i abcdefgh \! -o abcdefgh -j REJECT
> > REJECT all opt -- in lo out !lo 0.0.0.0/0 -> 0.0.0.0/0 reject-with icmp-port-unreachable
> >
> > Remove the mask parameters from `is_same_interfaces`. Add a test-case.
> >
> > Fixes: 9ccae6397475 ("nft: Leave interface masks alone when parsing from kernel")
> > Signed-off-by: Jeremy Sowden <jeremy@xxxxxxxxxx>
> > Signed-off-by: Phil Sutter <phil@xxxxxx>
> > ---
> > Changes since v1:
> > - Replace the loop by strncmp() calls.
>
> LGTM.
Thanks for the quick review, both patches applied!
Cheers, Phil
