* [iptables PATCH] nft: Fix add_bitwise_u16() on Big Endian
@ 2019-09-20 9:30 Phil Sutter
2019-09-20 9:36 ` Pablo Neira Ayuso
0 siblings, 1 reply; 2+ messages in thread
From: Phil Sutter @ 2019-09-20 9:30 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Type used for 'mask' and 'xor' parameters was wrong, 'int' is four bytes
on 32 or 64 bit architectures. After casting a uint16_t to int, on Big
Endian the first two bytes of data are (the leading) zero which libnftnl
then copies instead of the actual value.
This problem was noticed when using '--fragment' option:
| # iptables-nft -A FORWARD --fragment -j ACCEPT
| # nft list ruleset | grep frag-off
| ip frag-off & 0 != 0 counter packets 0 bytes 0 accept
With this fix in place, the resulting nft rule is correct:
| ip frag-off & 8191 != 0 counter packets 0 bytes 0 accept
Fixes: 2f1fbab671576 ("iptables: nft: add -f support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
iptables/nft-shared.c | 2 +-
iptables/nft-shared.h | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 1c09277d85fb5..62072520db2aa 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -69,7 +69,7 @@ void add_payload(struct nftnl_rule *r, int offset, int len, uint32_t base)
}
/* bitwise operation is = sreg & mask ^ xor */
-void add_bitwise_u16(struct nftnl_rule *r, int mask, int xor)
+void add_bitwise_u16(struct nftnl_rule *r, uint16_t mask, uint16_t xor)
{
struct nftnl_expr *expr;
diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index f3eab6bd53a30..bb88a34679688 100644
--- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h
@@ -111,7 +111,7 @@ struct nft_family_ops {
void add_meta(struct nftnl_rule *r, uint32_t key);
void add_payload(struct nftnl_rule *r, int offset, int len, uint32_t base);
void add_bitwise(struct nftnl_rule *r, uint8_t *mask, size_t len);
-void add_bitwise_u16(struct nftnl_rule *r, int mask, int xor);
+void add_bitwise_u16(struct nftnl_rule *r, uint16_t mask, uint16_t xor);
void add_cmp_ptr(struct nftnl_rule *r, uint32_t op, void *data, size_t len);
void add_cmp_u8(struct nftnl_rule *r, uint8_t val, uint32_t op);
void add_cmp_u16(struct nftnl_rule *r, uint16_t val, uint32_t op);
--
2.23.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [iptables PATCH] nft: Fix add_bitwise_u16() on Big Endian
2019-09-20 9:30 [iptables PATCH] nft: Fix add_bitwise_u16() on Big Endian Phil Sutter
@ 2019-09-20 9:36 ` Pablo Neira Ayuso
0 siblings, 0 replies; 2+ messages in thread
From: Pablo Neira Ayuso @ 2019-09-20 9:36 UTC (permalink / raw)
To: Phil Sutter; +Cc: netfilter-devel
On Fri, Sep 20, 2019 at 11:30:20AM +0200, Phil Sutter wrote:
> Type used for 'mask' and 'xor' parameters was wrong, 'int' is four bytes
> on 32 or 64 bit architectures. After casting a uint16_t to int, on Big
> Endian the first two bytes of data are (the leading) zero which libnftnl
> then copies instead of the actual value.
>
> This problem was noticed when using '--fragment' option:
>
> | # iptables-nft -A FORWARD --fragment -j ACCEPT
> | # nft list ruleset | grep frag-off
> | ip frag-off & 0 != 0 counter packets 0 bytes 0 accept
>
> With this fix in place, the resulting nft rule is correct:
>
> | ip frag-off & 8191 != 0 counter packets 0 bytes 0 accept
>
> Fixes: 2f1fbab671576 ("iptables: nft: add -f support")
> Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-09-20 9:36 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-09-20 9:30 [iptables PATCH] nft: Fix add_bitwise_u16() on Big Endian Phil Sutter
2019-09-20 9:36 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).