summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorRobin Geuze <robing@transip.nl>2019-05-28 07:03:59 +0000
committerPablo Neira Ayuso <pablo@netfilter.org>2019-09-30 18:23:17 +0200
commitfd31364ba44ee57274faaac53b895bcc717f77c9 (patch)
tree23f6ac429d6367f3db43751947d2a060e53b0089 /src
parent7c5f4b390f4b8dc02aceb0a18ed7c59ff14f392c (diff)
conntrackd: Fix "Address Accept" filter case
This fixes a bug in the Address Accept filter case where if you only specify either addresses or masks it would never match, eg. Filter From Usespace { Address Accept { IPv4_address 127.0.0.1 } } or Filter From Usespace { Address Accept { IPv4_address 0.0.0.0/0 } } If lpm filter fails, fall back to hashtable lookup for exact matching. If lpm filter succeeds, then depending on the policy, skip hashtable lookup (in case policy is accept) or return mismatch (in case policy is ignore). Signed-off-by: Robin Geuze <robing@transip.nl> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src')
-rw-r--r--src/filter.c10
1 files changed, 8 insertions, 2 deletions
diff --git a/src/filter.c b/src/filter.c
index 00a5e96..6577102 100644
--- a/src/filter.c
+++ b/src/filter.c
@@ -335,16 +335,22 @@ ct_filter_check(struct ct_filter *f, const struct nf_conntrack *ct)
switch(nfct_get_attr_u8(ct, ATTR_L3PROTO)) {
case AF_INET:
ret = vector_iterate(f->v, ct, __ct_filter_test_mask4);
- if (ret ^ f->logic[CT_FILTER_ADDRESS])
+ if (ret) {
+ if (f->logic[CT_FILTER_ADDRESS])
+ break;
return 0;
+ }
ret = __ct_filter_test_ipv4(f, ct);
if (ret ^ f->logic[CT_FILTER_ADDRESS])
return 0;
break;
case AF_INET6:
ret = vector_iterate(f->v6, ct, __ct_filter_test_mask6);
- if (ret ^ f->logic[CT_FILTER_ADDRESS])
+ if (ret) {
+ if (f->logic[CT_FILTER_ADDRESS])
+ break;
return 0;
+ }
ret = __ct_filter_test_ipv6(f, ct);
if (ret ^ f->logic[CT_FILTER_ADDRESS])
return 0;