diff options
author | Phil Sutter <phil@nwl.cc> | 2019-09-20 11:19:15 +0200 |
---|---|---|
committer | Phil Sutter <phil@nwl.cc> | 2019-09-23 22:13:20 +0200 |
commit | 7c64eaf4b1b97ff69a7d9c5c13d4e9eff97d2cd1 (patch) | |
tree | 5e2274d40d1ec704fdbddc54fcb7235cf87ae519 /iptables/nft-shared.c | |
parent | 5a0294901db1df0d8b1f22c2f64e3b967562ad2e (diff) |
nft: Fix add_bitwise_u16() on Big Endian
Type used for 'mask' and 'xor' parameters was wrong, 'int' is four bytes
on 32 or 64 bit architectures. After casting a uint16_t to int, on Big
Endian the first two bytes of data are (the leading) zero which libnftnl
then copies instead of the actual value.
This problem was noticed when using '--fragment' option:
| # iptables-nft -A FORWARD --fragment -j ACCEPT
| # nft list ruleset | grep frag-off
| ip frag-off & 0 != 0 counter packets 0 bytes 0 accept
With this fix in place, the resulting nft rule is correct:
| ip frag-off & 8191 != 0 counter packets 0 bytes 0 accept
Fixes: 2f1fbab671576 ("iptables: nft: add -f support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'iptables/nft-shared.c')
-rw-r--r-- | iptables/nft-shared.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c index 1c09277d..62072520 100644 --- a/iptables/nft-shared.c +++ b/iptables/nft-shared.c @@ -69,7 +69,7 @@ void add_payload(struct nftnl_rule *r, int offset, int len, uint32_t base) } /* bitwise operation is = sreg & mask ^ xor */ -void add_bitwise_u16(struct nftnl_rule *r, int mask, int xor) +void add_bitwise_u16(struct nftnl_rule *r, uint16_t mask, uint16_t xor) { struct nftnl_expr *expr; |