diff options
author | Florian Westphal <fw@strlen.de> | 2018-11-02 10:47:25 +0100 |
---|---|---|
committer | Florian Westphal <fw@strlen.de> | 2018-11-03 12:09:21 +0100 |
commit | d4bc5a38598b479b124973a821324ce867e87760 (patch) | |
tree | cb79ff0f7aea4c910111825c231db126054978e1 /extensions/libxt_standard.t | |
parent | 9ff99156b63ee39af3e8fce5ae5b0a2e2e8f0170 (diff) |
iptables-nft: fix bogus handling of zero saddr/daddr
rule for 0.0.0.0/8 is added as 0.0.0.0/0, because we did not check
mask (or negation, for that matter).
Fix this and add test cases too.
This also revealed an ip6tables-nft-save bug, it would print
' !-d', not '! -d'.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1287
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'extensions/libxt_standard.t')
-rw-r--r-- | extensions/libxt_standard.t | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/extensions/libxt_standard.t b/extensions/libxt_standard.t index 923569c3..bfdedb7a 100644 --- a/extensions/libxt_standard.t +++ b/extensions/libxt_standard.t @@ -1,4 +1,8 @@ :INPUT,FORWARD,OUTPUT +-s 127.0.0.1/32 -d 0.0.0.0/8 -j DROP;=;OK +! -s 0.0.0.0 -j ACCEPT;! -s 0.0.0.0/32 -j ACCEPT;OK +! -d 0.0.0.0/32 -j ACCEPT;=;OK +-s 0.0.0.0/24 -j RETURN;=;OK -j DROP;=;OK -j ACCEPT;=;OK -j RETURN;=;OK |