* [PATCH nft] src: Check range bounds before converting to prefix
@ 2021-09-06 3:06 Xiao Liang
2021-09-06 9:13 ` Pablo Neira Ayuso
2021-09-06 20:04 ` Pablo Neira Ayuso
0 siblings, 2 replies; 4+ messages in thread
From: Xiao Liang @ 2021-09-06 3:06 UTC (permalink / raw)
To: netfilter-devel; +Cc: Xiao Liang
The lower bound must be the first value of the prefix to be coverted.
For example, range "10.0.0.15-10.0.0.240" can not be converted to
"10.0.0.15/24". Validate it by checking if the lower bound value has
enough trailing zeros.
Signed-off-by: Xiao Liang <shaw.leon@gmail.com>
---
src/netlink.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/src/netlink.c b/src/netlink.c
index cbf9d436..0fd0b664 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -1079,12 +1079,15 @@ struct expr *range_expr_to_prefix(struct expr *range)
if (mpz_bitmask_is_prefix(bitmask, len)) {
prefix_len = mpz_bitmask_to_prefix(bitmask, len);
- prefix = prefix_expr_alloc(&range->location, expr_get(left),
- prefix_len);
- mpz_clear(bitmask);
- expr_free(range);
-
- return prefix;
+ if (mpz_scan1(left->value, 0) >= len - prefix_len) {
+ prefix = prefix_expr_alloc(&range->location,
+ expr_get(left),
+ prefix_len);
+ mpz_clear(bitmask);
+ expr_free(range);
+
+ return prefix;
+ }
}
mpz_clear(bitmask);
--
2.33.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH nft] src: Check range bounds before converting to prefix
2021-09-06 3:06 [PATCH nft] src: Check range bounds before converting to prefix Xiao Liang
@ 2021-09-06 9:13 ` Pablo Neira Ayuso
2021-09-06 12:57 ` Xiao Liang
2021-09-06 20:04 ` Pablo Neira Ayuso
1 sibling, 1 reply; 4+ messages in thread
From: Pablo Neira Ayuso @ 2021-09-06 9:13 UTC (permalink / raw)
To: Xiao Liang; +Cc: netfilter-devel
Hi,
On Mon, Sep 06, 2021 at 11:06:41AM +0800, Xiao Liang wrote:
> The lower bound must be the first value of the prefix to be coverted.
> For example, range "10.0.0.15-10.0.0.240" can not be converted to
> "10.0.0.15/24". Validate it by checking if the lower bound value has
> enough trailing zeros.
# nft add rule x y ip saddr 10.0.0.15-10.0.0.240
# nft list ruleset
...
ip saddr 10.0.0.15-10.0.0.240
Is a different range that triggers the problem?
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH nft] src: Check range bounds before converting to prefix
2021-09-06 9:13 ` Pablo Neira Ayuso
@ 2021-09-06 12:57 ` Xiao Liang
0 siblings, 0 replies; 4+ messages in thread
From: Xiao Liang @ 2021-09-06 12:57 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
On Mon, Sep 6, 2021 at 5:13 PM Pablo Neira Ayuso <pablo@netfilter.org> wrote:
>
> Hi,
>
> On Mon, Sep 06, 2021 at 11:06:41AM +0800, Xiao Liang wrote:
> > The lower bound must be the first value of the prefix to be coverted.
> > For example, range "10.0.0.15-10.0.0.240" can not be converted to
> > "10.0.0.15/24". Validate it by checking if the lower bound value has
> > enough trailing zeros.
>
> # nft add rule x y ip saddr 10.0.0.15-10.0.0.240
> # nft list ruleset
> ...
> ip saddr 10.0.0.15-10.0.0.240
>
> Is a different range that triggers the problem?
Hi,
Please try
# nft add rule x y snat to 10.0.0.15-10.0.0.240
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH nft] src: Check range bounds before converting to prefix
2021-09-06 3:06 [PATCH nft] src: Check range bounds before converting to prefix Xiao Liang
2021-09-06 9:13 ` Pablo Neira Ayuso
@ 2021-09-06 20:04 ` Pablo Neira Ayuso
1 sibling, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2021-09-06 20:04 UTC (permalink / raw)
To: Xiao Liang; +Cc: netfilter-devel
On Mon, Sep 06, 2021 at 11:06:41AM +0800, Xiao Liang wrote:
> The lower bound must be the first value of the prefix to be coverted.
> For example, range "10.0.0.15-10.0.0.240" can not be converted to
> "10.0.0.15/24". Validate it by checking if the lower bound value has
> enough trailing zeros.
Applied, thanks.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-09-06 20:04 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-06 3:06 [PATCH nft] src: Check range bounds before converting to prefix Xiao Liang
2021-09-06 9:13 ` Pablo Neira Ayuso
2021-09-06 12:57 ` Xiao Liang
2021-09-06 20:04 ` Pablo Neira Ayuso
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.