* [PATCH conntrack-tools,v2 1/2] conntrackd: Fix "Address Accept" filter case
@ 2019-09-20 13:50 Pablo Neira Ayuso
2019-09-20 13:50 ` [PATCH conntrack-tools,v2 2/2] conntrackd: incorrect filtering of Address with cidr /0 Pablo Neira Ayuso
0 siblings, 1 reply; 2+ messages in thread
From: Pablo Neira Ayuso @ 2019-09-20 13:50 UTC (permalink / raw)
To: netfilter-devel
From: Robin Geuze <robing@transip.nl>
This fixes a bug in the Address Accept filter case where if you only
specify either addresses or masks it would never match, eg.
Filter From Usespace {
Address Accept {
IPv4_address 127.0.0.1
}
}
or
Filter From Usespace {
Address Accept {
IPv4_address 0.0.0.0/0
}
}
If lpm filter fails, fall back to hashtable lookup for exact matching.
If lpm filter succeeds, then depending on the policy, skip hashtable
lookup (in case policy is accept) or return mismatch (in case policy is
ignore).
Signed-off-by: Robin Geuze <robing@transip.nl>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
v2: simply previous version.
src/filter.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/src/filter.c b/src/filter.c
index 00a5e96ecc24..65771025308f 100644
--- a/src/filter.c
+++ b/src/filter.c
@@ -335,16 +335,22 @@ ct_filter_check(struct ct_filter *f, const struct nf_conntrack *ct)
switch(nfct_get_attr_u8(ct, ATTR_L3PROTO)) {
case AF_INET:
ret = vector_iterate(f->v, ct, __ct_filter_test_mask4);
- if (ret ^ f->logic[CT_FILTER_ADDRESS])
+ if (ret) {
+ if (f->logic[CT_FILTER_ADDRESS])
+ break;
return 0;
+ }
ret = __ct_filter_test_ipv4(f, ct);
if (ret ^ f->logic[CT_FILTER_ADDRESS])
return 0;
break;
case AF_INET6:
ret = vector_iterate(f->v6, ct, __ct_filter_test_mask6);
- if (ret ^ f->logic[CT_FILTER_ADDRESS])
+ if (ret) {
+ if (f->logic[CT_FILTER_ADDRESS])
+ break;
return 0;
+ }
ret = __ct_filter_test_ipv6(f, ct);
if (ret ^ f->logic[CT_FILTER_ADDRESS])
return 0;
--
2.11.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [PATCH conntrack-tools,v2 2/2] conntrackd: incorrect filtering of Address with cidr /0
2019-09-20 13:50 [PATCH conntrack-tools,v2 1/2] conntrackd: Fix "Address Accept" filter case Pablo Neira Ayuso
@ 2019-09-20 13:50 ` Pablo Neira Ayuso
0 siblings, 0 replies; 2+ messages in thread
From: Pablo Neira Ayuso @ 2019-09-20 13:50 UTC (permalink / raw)
To: netfilter-devel
Set an all zero mask when cidr /0 is specified.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
v2: no changes.
src/cidr.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/src/cidr.c b/src/cidr.c
index 91025b6091ed..6ef85c74a626 100644
--- a/src/cidr.c
+++ b/src/cidr.c
@@ -24,6 +24,9 @@
/* returns the netmask in host byte order */
uint32_t ipv4_cidr2mask_host(uint8_t cidr)
{
+ if (cidr == 0)
+ return 0;
+
return 0xFFFFFFFF << (32 - cidr);
}
@@ -42,10 +45,13 @@ void ipv6_cidr2mask_host(uint8_t cidr, uint32_t *res)
res[i] = 0xFFFFFFFF;
cidr -= 32;
}
- res[i] = 0xFFFFFFFF << (32 - cidr);
- for (j = i+1; j < 4; j++) {
+ if (cidr == 0)
+ res[i] = 0;
+ else
+ res[i] = 0xFFFFFFFF << (32 - cidr);
+
+ for (j = i + 1; j < 4; j++)
res[j] = 0;
- }
}
void ipv6_cidr2mask_net(uint8_t cidr, uint32_t *res)
--
2.11.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-09-20 13:50 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-09-20 13:50 [PATCH conntrack-tools,v2 1/2] conntrackd: Fix "Address Accept" filter case Pablo Neira Ayuso
2019-09-20 13:50 ` [PATCH conntrack-tools,v2 2/2] conntrackd: incorrect filtering of Address with cidr /0 Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).