diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-09-30 13:07:18 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-09-30 14:45:07 +0200 |
| commit | 2c4a34c30cb4db93653dbd139e04f7df963c3a41 (patch) | |
| tree | 17261327e3fb010eefe5e745e3ead71430363e9f /iptables/nft.c | |
| parent | 93ad9ea1b86bdaacffd8e33654abcea3d4e148b2 (diff) | |
iptables-compat: fix address prefix
This patch fixes:
# iptables-compat -I INPUT -s 1.2.3.0/24
generates this bytecode:
ip filter INPUT 20
[ payload load 4b @ network header + 12 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ]
[ cmp eq reg 1 0x00030201 ]
[ counter pkts 0 bytes 0 ]
and it displays:
# iptables-compat-save
...
-A INPUT -s 1.2.3.0/24
ip6tables-compat and arptables-compat are also fixed.
This patch uses the new context structure to annotate payload, meta
and bitwise, so it interprets the cmp expression based on the context.
This provides a rudimentary way to delinearize the iptables-compat
rule-set, but it should be enough for the built-in xtables selectors
since we still use the xtables extensions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'iptables/nft.c')
0 files changed, 0 insertions, 0 deletions