From d579c3cba69ec958ca93216a77f15acfa1487e09 Mon Sep 17 00:00:00 2001
From: Giuseppe Longo <giuseppelng@gmail.com>
Date: Fri, 22 Aug 2014 11:16:31 +0200
Subject: nft: compare layer 4 protocol in first place

Currently the protocol is tested after the ip address,
this fixes the order testing the protocol before the ip address.

Now the code generated is incorrect:

ip filter INPUT 16
  [ payload load 4b @ network header + 12 => reg 1 ]
  [ cmp eq reg 1 0x0100a8c0 ]
  [ payload load 1b @ network header + 9 => reg 1 ]
  [ cmp eq reg 1 0x00000006 ]
  [ match name tcp rev 0 ]
  [ match name conntrack rev 3 ]
  [ counter pkts 0 bytes 0 ]
  [ immediate reg 0 accept ]

With this patch, the code generated is:
ip filter INPUT 16
  [ payload load 1b @ network header + 9 => reg 1 ]
  [ cmp eq reg 1 0x00000006 ]
  [ payload load 4b @ network header + 12 => reg 1 ]
  [ cmp eq reg 1 0x0100a8c0 ]
  [ bitwise reg 1 = (reg=1 & 0xffffffff ) ^ 0x00000000 ]
  [ match name tcp rev 0 ]
  [ match name conntrack rev 3 ]
  [ counter pkts 0 bytes 0 ]
  [ immediate reg 0 accept ]

Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 iptables/nft-ipv4.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'iptables/nft-ipv4.c')

diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index 33bc581a..70050ba5 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -37,6 +37,10 @@ static int nft_ipv4_add(struct nft_rule *r, void *data)
 	if (cs->fw.ip.outiface[0] != '\0')
 		add_outiface(r, cs->fw.ip.outiface, cs->fw.ip.invflags);
 
+	if (cs->fw.ip.proto != 0)
+		add_proto(r, offsetof(struct iphdr, protocol), 1,
+			  cs->fw.ip.proto, cs->fw.ip.invflags);
+
 	if (cs->fw.ip.src.s_addr != 0)
 		add_addr(r, offsetof(struct iphdr, saddr),
 			 &cs->fw.ip.src.s_addr, 4, cs->fw.ip.invflags);
@@ -45,10 +49,6 @@ static int nft_ipv4_add(struct nft_rule *r, void *data)
 		add_addr(r, offsetof(struct iphdr, daddr),
 			 &cs->fw.ip.dst.s_addr, 4, cs->fw.ip.invflags);
 
-	if (cs->fw.ip.proto != 0)
-		add_proto(r, offsetof(struct iphdr, protocol), 1,
-			  cs->fw.ip.proto, cs->fw.ip.invflags);
-
 	if (cs->fw.ip.flags & IPT_F_FRAG) {
 		add_payload(r, offsetof(struct iphdr, frag_off), 2);
 		/* get the 13 bits that contain the fragment offset */
-- 
cgit v1.2.3