summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGiuseppe Longo <giuseppelng@gmail.com>2014-08-22 11:16:31 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2014-08-24 15:29:47 +0200
commitd579c3cba69ec958ca93216a77f15acfa1487e09 (patch)
treef78711526ba6e99e9dcd8dd9c792f192cf8240ba
parentb772c3f24f75e586e406675e4b0b79eabfe3375e (diff)
nft: compare layer 4 protocol in first place
Currently the protocol is tested after the ip address, this fixes the order testing the protocol before the ip address. Now the code generated is incorrect: ip filter INPUT 16 [ payload load 4b @ network header + 12 => reg 1 ] [ cmp eq reg 1 0x0100a8c0 ] [ payload load 1b @ network header + 9 => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ match name tcp rev 0 ] [ match name conntrack rev 3 ] [ counter pkts 0 bytes 0 ] [ immediate reg 0 accept ] With this patch, the code generated is: ip filter INPUT 16 [ payload load 1b @ network header + 9 => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ payload load 4b @ network header + 12 => reg 1 ] [ cmp eq reg 1 0x0100a8c0 ] [ bitwise reg 1 = (reg=1 & 0xffffffff ) ^ 0x00000000 ] [ match name tcp rev 0 ] [ match name conntrack rev 3 ] [ counter pkts 0 bytes 0 ] [ immediate reg 0 accept ] Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r--iptables/nft-ipv4.c8
-rw-r--r--iptables/nft-ipv6.c8
2 files changed, 8 insertions, 8 deletions
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index 33bc581a..70050ba5 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -37,6 +37,10 @@ static int nft_ipv4_add(struct nft_rule *r, void *data)
if (cs->fw.ip.outiface[0] != '\0')
add_outiface(r, cs->fw.ip.outiface, cs->fw.ip.invflags);
+ if (cs->fw.ip.proto != 0)
+ add_proto(r, offsetof(struct iphdr, protocol), 1,
+ cs->fw.ip.proto, cs->fw.ip.invflags);
+
if (cs->fw.ip.src.s_addr != 0)
add_addr(r, offsetof(struct iphdr, saddr),
&cs->fw.ip.src.s_addr, 4, cs->fw.ip.invflags);
@@ -45,10 +49,6 @@ static int nft_ipv4_add(struct nft_rule *r, void *data)
add_addr(r, offsetof(struct iphdr, daddr),
&cs->fw.ip.dst.s_addr, 4, cs->fw.ip.invflags);
- if (cs->fw.ip.proto != 0)
- add_proto(r, offsetof(struct iphdr, protocol), 1,
- cs->fw.ip.proto, cs->fw.ip.invflags);
-
if (cs->fw.ip.flags & IPT_F_FRAG) {
add_payload(r, offsetof(struct iphdr, frag_off), 2);
/* get the 13 bits that contain the fragment offset */
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index 00f1bf8e..52de5b69 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -34,6 +34,10 @@ static int nft_ipv6_add(struct nft_rule *r, void *data)
if (cs->fw6.ipv6.outiface[0] != '\0')
add_outiface(r, cs->fw6.ipv6.outiface, cs->fw6.ipv6.invflags);
+ if (cs->fw6.ipv6.proto != 0)
+ add_proto(r, offsetof(struct ip6_hdr, ip6_nxt), 1,
+ cs->fw6.ipv6.proto, cs->fw6.ipv6.invflags);
+
if (!IN6_IS_ADDR_UNSPECIFIED(&cs->fw6.ipv6.src))
add_addr(r, offsetof(struct ip6_hdr, ip6_src),
&cs->fw6.ipv6.src, 16, cs->fw6.ipv6.invflags);
@@ -42,10 +46,6 @@ static int nft_ipv6_add(struct nft_rule *r, void *data)
add_addr(r, offsetof(struct ip6_hdr, ip6_dst),
&cs->fw6.ipv6.dst, 16, cs->fw6.ipv6.invflags);
- if (cs->fw6.ipv6.proto != 0)
- add_proto(r, offsetof(struct ip6_hdr, ip6_nxt), 1,
- cs->fw6.ipv6.proto, cs->fw6.ipv6.invflags);
-
add_compat(r, cs->fw6.ipv6.proto, cs->fw6.ipv6.invflags);
for (matchp = cs->matches; matchp; matchp = matchp->next) {