diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2015-02-19 00:15:13 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2015-02-22 19:59:45 +0100 |
commit | 6c8db125b258da070313f20cdf9bc4124bba5383 (patch) | |
tree | 9657a507f1616c0da51683ecc5b9e759ae88a5a7 /iptables/nft-ipv6.c | |
parent | 0e067c7142c73404eb9ba6e355a28a92bf493675 (diff) |
iptables-compat: unset context flags in netlink delinearize step
Once the data that the compare expression provides have been digested.
For example:
-A INPUT -i noexist -p udplite -s 10.10.10.10/32 -d 10.0.0.10/32 -j ACCEPT
doesn't show anymore the following broken output via iptables-compat-save:
-A INPUT -i
+t -p udplite -s 10.10.10.10/32 -d 10.0.0.10/32 -j ACCEPT
Reported-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Tested-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Diffstat (limited to 'iptables/nft-ipv6.c')
-rw-r--r-- | iptables/nft-ipv6.c | 20 |
1 files changed, 12 insertions, 8 deletions
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c index 37365da1..d50b138e 100644 --- a/iptables/nft-ipv6.c +++ b/iptables/nft-ipv6.c @@ -126,10 +126,12 @@ static void nft_ipv6_parse_payload(struct nft_xt_ctx *ctx, case offsetof(struct ip6_hdr, ip6_src): get_cmp_data(e, &addr, sizeof(addr), &inv); memcpy(cs->fw6.ipv6.src.s6_addr, &addr, sizeof(addr)); - if (ctx->flags & NFT_XT_CTX_BITWISE) - parse_mask_ipv6(ctx, &cs->fw6.ipv6.smsk); - else - memset(&cs->fw.ip.smsk, 0xff, sizeof(struct in6_addr)); + if (ctx->flags & NFT_XT_CTX_BITWISE) { + parse_mask_ipv6(ctx, &cs->fw6.ipv6.smsk); + ctx->flags &= ~NFT_XT_CTX_BITWISE; + } else { + memset(&cs->fw.ip.smsk, 0xff, sizeof(struct in6_addr)); + } if (inv) cs->fw6.ipv6.invflags |= IPT_INV_SRCIP; @@ -137,10 +139,12 @@ static void nft_ipv6_parse_payload(struct nft_xt_ctx *ctx, case offsetof(struct ip6_hdr, ip6_dst): get_cmp_data(e, &addr, sizeof(addr), &inv); memcpy(cs->fw6.ipv6.dst.s6_addr, &addr, sizeof(addr)); - if (ctx->flags & NFT_XT_CTX_BITWISE) - parse_mask_ipv6(ctx, &cs->fw6.ipv6.dmsk); - else - memset(&cs->fw.ip.dmsk, 0xff, sizeof(struct in6_addr)); + if (ctx->flags & NFT_XT_CTX_BITWISE) { + parse_mask_ipv6(ctx, &cs->fw6.ipv6.dmsk); + ctx->flags &= ~NFT_XT_CTX_BITWISE; + } else { + memset(&cs->fw.ip.dmsk, 0xff, sizeof(struct in6_addr)); + } if (inv) cs->fw6.ipv6.invflags |= IPT_INV_DSTIP; |