1 files changed, 17 insertions, 12 deletions

diff --git a/src/conntrack/bsf.c b/src/conntrack/bsf.c
index 1549815..1e78bad 100644
--- a/src/conntrack/bsf.c
+++ b/src/conntrack/bsf.c
@@ -9,6 +9,7 @@
 
 #include "internal/internal.h"
 #include "internal/stack.h"
+#include <endian.h>
 #include <linux/filter.h>
 #include <stddef.h>		/* offsetof */
 
@@ -162,7 +163,7 @@ struct jump {
 
 static int
 nfct_bsf_cmp_k_stack(struct sock_filter *this, int k, 
-	       int jump_true, int pos, struct stack *s)
+		     int jump_true, int pos, struct stack *s)
 {
 	struct sock_filter __code = {
 		.code	= BPF_JMP|BPF_JEQ|BPF_K,
@@ -301,10 +302,14 @@ bsf_cmp_subsys(struct sock_filter *this, int pos, uint8_t subsys)
 		[1] = {
 			/* A = skb->data[X+k:B] (subsys_id) */
 			.code	= BPF_LD|BPF_B|BPF_IND,
+#if BYTE_ORDER == BIG_ENDIAN
+			.k	= 0,
+#else
 			.k	= sizeof(uint8_t),
+#endif
 		},
 		[2] = {
-			/* A == subsys ? jump +1 : accept */
+			/* A == subsys ? jump + 1 : accept */
 			.code	= BPF_JMP|BPF_JEQ|BPF_K,
 			.k	= subsys,
 			.jt	= 1,
@@ -331,7 +336,7 @@ add_state_filter_cta(struct sock_filter *this,
 	s = stack_create(sizeof(struct jump), 3 + 32);
 	if (s == NULL) {
 		errno = ENOMEM;
-		return -1;
+		return 0;
 	}
 
 	jt = 1;
@@ -398,7 +403,7 @@ add_state_filter(struct sock_filter *this,
 
 	if (cta[proto].cta_protoinfo == 0 && cta[proto].cta_state == 0) {
 		errno = ENOTSUP;
-		return -1;
+		return 0;
 	}
 
 	return add_state_filter_cta(this,
@@ -443,7 +448,7 @@ bsf_add_proto_filter(const struct nfct_filter *f, struct sock_filter *this)
 	s = stack_create(sizeof(struct jump), 3 + 255);
 	if (s == NULL) {
 		errno = ENOMEM;
-		return -1;
+		return 0;
 	}
 
 	jt = 1;
@@ -515,7 +520,7 @@ bsf_add_addr_ipv4_filter(const struct nfct_filter *f,
 	s = stack_create(sizeof(struct jump), 3 + 127);
 	if (s == NULL) {
 		errno = ENOMEM;
-		return -1;
+		return 0;
 	}
 
 	jt = 1;
@@ -600,7 +605,7 @@ bsf_add_addr_ipv6_filter(const struct nfct_filter *f,
 	s = stack_create(sizeof(struct jump), 3 + 80);
 	if (s == NULL) {
 		errno = ENOMEM;
-		return -1;
+		return 0;
 	}
 
 	jf = 1;
@@ -635,8 +640,8 @@ bsf_add_addr_ipv6_filter(const struct nfct_filter *f,
 					      j);
 			if (k < 3) {
 				j += nfct_bsf_cmp_k_stack_jf(this, ip,
-						jf - j - 1,
-						j, s);
+							     (3 - k) * 3 + 1,
+							     j, s);
 			} else {
 				/* last word: jump if true */
 				j += nfct_bsf_cmp_k_stack(this, ip, jf - j,
@@ -650,7 +655,7 @@ bsf_add_addr_ipv6_filter(const struct nfct_filter *f,
 			this[jmp.line].jt += jmp.jt + j;
 		}
 		if (jmp.jf) {
-			this[jmp.line].jf += jmp.jf + j;
+			this[jmp.line].jf += jmp.jf;
 		}
 	}
 
@@ -699,7 +704,7 @@ bsf_add_mark_filter(const struct nfct_filter *f, struct sock_filter *this)
 	s = stack_create(sizeof(struct jump), 3 + 127);
 	if (s == NULL) {
 		errno = ENOMEM;
-		return -1;
+		return 0;
 	}
 
 	jt = 1;
@@ -778,7 +783,7 @@ int __setup_netlink_socket_filter(int fd, struct nfct_filter *f)
 	show_filter(bsf, from, j, "---- final verdict ----");
 	from = j;
 
-	sf.len = (sizeof(struct sock_filter) * j) / sizeof(bsf[0]);
+	sf.len = j;
 	sf.filter = bsf;
 
 	return setsockopt(fd, SOL_SOCKET, SO_ATTACH_FILTER, &sf, sizeof(sf));