ebtables match inverted in 2.6.28?

ebtables match inverted in 2.6.28?

[Matt Cross]

I think the work to move ebtables to use xtables broke ebtables.
Specifically, in commit 8cc784eec6676b58e7f60419c88179aaa97bf71c the
return value of the match functions was inverted so that they return 1
(true) on matches instead of EBT_MATCH (0), and vice versa (look in
ebt_ip.c).  The logic in ebtables.c (ebt_do_table() and
EBT_MATCH_ITERATE()) expect match functions to return 0 for matches.

The patch at the end of this message fixes the problem, but seems a
little hacky to me.  Who's the right person to address this?

    -Matt


--- linux-2.6.28.orig/net/bridge/netfilter/ebtables.c   2008-12-24
18:26:37.000000000 -0500
+++ linux-2.6.28/net/bridge/netfilter/ebtables.c        2008-12-31
16:17:44.000000000 -0500
@@ -80,7 +80,7 @@
 {
        par->match     = m->u.match;
        par->matchinfo = m->data;
-       return m->u.match->match(skb, par);
+       return !m->u.match->match(skb, par);
 }

 static inline int ebt_dev_check(char *entry, const struct net_device *device)

[PATCH] ebtables match inverted in 2.6.28? (Was: Re: ebtables match inverted in 2.6.28?)

[Matthew Helsley]

On Wed, 2008-12-31 at 17:00 -0500, Matt Cross wrote:
> I think the work to move ebtables to use xtables broke ebtables.
> Specifically, in commit 8cc784eec6676b58e7f60419c88179aaa97bf71c the
> return value of the match functions was inverted so that they return 1
> (true) on matches instead of EBT_MATCH (0), and vice versa (look in
> ebt_ip.c).  The logic in ebtables.c (ebt_do_table() and
> EBT_MATCH_ITERATE()) expect match functions to return 0 for matches.
> 
> The patch at the end of this message fixes the problem, but seems a
> little hacky to me.  Who's the right person to address this?
> 
>     -Matt

I suspect the right place to send this is:
netfilter-devel@vger.kernel.org

The subject line should indicate that you've contributed a patch
otherwise you may not get a quick response (I've modified it
accordingly).

For more on submitting patches you can read
Documentation/SubmittingPatches and Documentation/SubmitChecklist

Cheers,
	-Matt Helsley

> 
> --- linux-2.6.28.orig/net/bridge/netfilter/ebtables.c   2008-12-24
> 18:26:37.000000000 -0500
> +++ linux-2.6.28/net/bridge/netfilter/ebtables.c        2008-12-31
> 16:17:44.000000000 -0500
> @@ -80,7 +80,7 @@
>  {
>         par->match     = m->u.match;
>         par->matchinfo = m->data;
> -       return m->u.match->match(skb, par);
> +       return !m->u.match->match(skb, par);
>  }
> 
>  static inline int ebt_dev_check(char *entry, const struct net_device *device)
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
> 

Re: [PATCH] ebtables match inverted in 2.6.28? (Was: Re: ebtables match inverted in 2.6.28?)

[Patrick McHardy]

Matthew Helsley wrote:
> On Wed, 2008-12-31 at 17:00 -0500, Matt Cross wrote:
>> I think the work to move ebtables to use xtables broke ebtables.
>> Specifically, in commit 8cc784eec6676b58e7f60419c88179aaa97bf71c the
>> return value of the match functions was inverted so that they return 1
>> (true) on matches instead of EBT_MATCH (0), and vice versa (look in
>> ebt_ip.c).  The logic in ebtables.c (ebt_do_table() and
>> EBT_MATCH_ITERATE()) expect match functions to return 0 for matches.
>>
>> The patch at the end of this message fixes the problem, but seems a
>> little hacky to me.  Who's the right person to address this?

Jan, could you have a look at this please?

>> --- linux-2.6.28.orig/net/bridge/netfilter/ebtables.c   2008-12-24
>> 18:26:37.000000000 -0500
>> +++ linux-2.6.28/net/bridge/netfilter/ebtables.c        2008-12-31
>> 16:17:44.000000000 -0500
>> @@ -80,7 +80,7 @@
>>  {
>>         par->match     = m->u.match;
>>         par->matchinfo = m->data;
>> -       return m->u.match->match(skb, par);
>> +       return !m->u.match->match(skb, par);
>>  }

Re: [PATCH] ebtables match inverted in 2.6.28? (Was: Re: ebtables match inverted in 2.6.28?)

[Jan Engelhardt]

On Monday 2009-01-12 06:14, Patrick McHardy wrote:

> Matthew Helsley wrote:
>> On Wed, 2008-12-31 at 17:00 -0500, Matt Cross wrote:
>>> I think the work to move ebtables to use xtables broke ebtables.
>>> Specifically, in commit 8cc784eec6676b58e7f60419c88179aaa97bf71c the
>>> return value of the match functions was inverted so that they return 1
>>> (true) on matches instead of EBT_MATCH (0), and vice versa (look in
>>> ebt_ip.c).  The logic in ebtables.c (ebt_do_table() and
>>> EBT_MATCH_ITERATE()) expect match functions to return 0 for matches.
>>>
>>> The patch at the end of this message fixes the problem, but seems a
>>> little hacky to me.  Who's the right person to address this?
>
> Jan, could you have a look at this please?

That seemds indeed so.
Patch is both for 2.6.29-running and 2.6.28.

parent 1e8ca9528de86bdb2d73fbdfb27a10131bb5c593 (v2.6.29-rc1-21-g1e8ca95)
commit cc46eb3e855b7c1f628e934e01b97f4f2642973e
Author: Jan Engelhardt <jengelh@medozas.de>
Date:   Mon Jan 12 08:40:22 2009 +0100

netfilter: ebtables: fix inversion in match code

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 net/bridge/netfilter/ebtables.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index fa108c4..9f46235 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -79,7 +79,7 @@ static inline int ebt_do_match (struct ebt_entry_match *m,
 {
 	par->match     = m->u.match;
 	par->matchinfo = m->data;
-	return m->u.match->match(skb, par);
+	return m->u.match->match(skb, par) ? EBT_MATCH : EBT_NOMATCH;
 }
 
 static inline int ebt_dev_check(char *entry, const struct net_device *device)
-- 
# Created with git-export-patch

Re: [PATCH] ebtables match inverted in 2.6.28? (Was: Re: ebtables match inverted in 2.6.28?)

[Patrick McHardy]

[-- Attachment #1: Type: text/plain, Size: 845 bytes --]

Jan Engelhardt wrote:
>>> On Wed, 2008-12-31 at 17:00 -0500, Matt Cross wrote:
>>>> I think the work to move ebtables to use xtables broke ebtables.
>>>> Specifically, in commit 8cc784eec6676b58e7f60419c88179aaa97bf71c the
>>>> return value of the match functions was inverted so that they return 1
>>>> (true) on matches instead of EBT_MATCH (0), and vice versa (look in
>>>> ebt_ip.c).  The logic in ebtables.c (ebt_do_table() and
>>>> EBT_MATCH_ITERATE()) expect match functions to return 0 for matches.
>>>>
>> Jan, could you have a look at this please?
> 
> That seemds indeed so.
> Patch is both for 2.6.29-running and 2.6.28.
> 
> netfilter: ebtables: fix inversion in match code

Applied, thanks. When fixing regressions please state the commit
ID and subject of the patch introducing the breakage and also who
reported it.

Like this.


[-- Attachment #2: 01.diff --]
[-- Type: text/x-patch, Size: 1032 bytes --]

commit c6b52c688ecf03adb82724299b97701528821ca5
Author: Jan Engelhardt <jengelh@medozas.de>
Date:   Mon Jan 12 08:52:08 2009 +0100

    netfilter: ebtables: fix inversion in match code
    
    Commit 8cc784ee (netfilter: change return types of match functions
    for ebtables extensions) broke ebtables matches by inverting the
    sense of match/nomatch.
    
    Reported-by: Matt Cross <matthltc@us.ibm.com>
    Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 8a8743d..820252a 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -79,7 +79,7 @@ static inline int ebt_do_match (struct ebt_entry_match *m,
 {
 	par->match     = m->u.match;
 	par->matchinfo = m->data;
-	return m->u.match->match(skb, par);
+	return m->u.match->match(skb, par) ? EBT_MATCH : EBT_NOMATCH;
 }
 
 static inline int ebt_dev_check(char *entry, const struct net_device *device)

Re: [PATCH] ebtables match inverted in 2.6.28? (Was: Re: ebtables match inverted in 2.6.28?)

[Matt Helsley]

On Mon, 2009-01-12 at 08:54 +0100, Patrick McHardy wrote:
> commit c6b52c688ecf03adb82724299b97701528821ca5
> Author: Jan Engelhardt <jengelh@medozas.de>
> Date:   Mon Jan 12 08:52:08 2009 +0100
> 
>     netfilter: ebtables: fix inversion in match code
>     
>     Commit 8cc784ee (netfilter: change return types of match functions
>     for ebtables extensions) broke ebtables matches by inverting the
>     sense of match/nomatch.
>     
>     Reported-by: Matt Cross <matthltc@us.ibm.com>

Argh, I totally skimmed past this mistake earlier!
Should be:
	Reported-by: Matt Cross <matt.cross@gmail.com>

I just directed Matt Cross to the appropriate mailing list.

Cheers,
	-Matt Helsley