diff options
| author | Giuseppe Longo <giuseppelng@gmail.com> | 2014-08-22 11:16:31 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-08-24 15:29:47 +0200 |
| commit | d579c3cba69ec958ca93216a77f15acfa1487e09 (patch) | |
| tree | f78711526ba6e99e9dcd8dd9c792f192cf8240ba /iptables/nft-arp.c | |
| parent | b772c3f24f75e586e406675e4b0b79eabfe3375e (diff) | |
nft: compare layer 4 protocol in first place
Currently the protocol is tested after the ip address,
this fixes the order testing the protocol before the ip address.
Now the code generated is incorrect:
ip filter INPUT 16
[ payload load 4b @ network header + 12 => reg 1 ]
[ cmp eq reg 1 0x0100a8c0 ]
[ payload load 1b @ network header + 9 => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ match name tcp rev 0 ]
[ match name conntrack rev 3 ]
[ counter pkts 0 bytes 0 ]
[ immediate reg 0 accept ]
With this patch, the code generated is:
ip filter INPUT 16
[ payload load 1b @ network header + 9 => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ payload load 4b @ network header + 12 => reg 1 ]
[ cmp eq reg 1 0x0100a8c0 ]
[ bitwise reg 1 = (reg=1 & 0xffffffff ) ^ 0x00000000 ]
[ match name tcp rev 0 ]
[ match name conntrack rev 3 ]
[ counter pkts 0 bytes 0 ]
[ immediate reg 0 accept ]
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'iptables/nft-arp.c')
0 files changed, 0 insertions, 0 deletions