diff options
Diffstat (limited to 'src/conntrack/bsf.c')
-rw-r--r-- | src/conntrack/bsf.c | 29 |
1 files changed, 17 insertions, 12 deletions
diff --git a/src/conntrack/bsf.c b/src/conntrack/bsf.c index 1549815..1e78bad 100644 --- a/src/conntrack/bsf.c +++ b/src/conntrack/bsf.c @@ -9,6 +9,7 @@ #include "internal/internal.h" #include "internal/stack.h" +#include <endian.h> #include <linux/filter.h> #include <stddef.h> /* offsetof */ @@ -162,7 +163,7 @@ struct jump { static int nfct_bsf_cmp_k_stack(struct sock_filter *this, int k, - int jump_true, int pos, struct stack *s) + int jump_true, int pos, struct stack *s) { struct sock_filter __code = { .code = BPF_JMP|BPF_JEQ|BPF_K, @@ -301,10 +302,14 @@ bsf_cmp_subsys(struct sock_filter *this, int pos, uint8_t subsys) [1] = { /* A = skb->data[X+k:B] (subsys_id) */ .code = BPF_LD|BPF_B|BPF_IND, +#if BYTE_ORDER == BIG_ENDIAN + .k = 0, +#else .k = sizeof(uint8_t), +#endif }, [2] = { - /* A == subsys ? jump +1 : accept */ + /* A == subsys ? jump + 1 : accept */ .code = BPF_JMP|BPF_JEQ|BPF_K, .k = subsys, .jt = 1, @@ -331,7 +336,7 @@ add_state_filter_cta(struct sock_filter *this, s = stack_create(sizeof(struct jump), 3 + 32); if (s == NULL) { errno = ENOMEM; - return -1; + return 0; } jt = 1; @@ -398,7 +403,7 @@ add_state_filter(struct sock_filter *this, if (cta[proto].cta_protoinfo == 0 && cta[proto].cta_state == 0) { errno = ENOTSUP; - return -1; + return 0; } return add_state_filter_cta(this, @@ -443,7 +448,7 @@ bsf_add_proto_filter(const struct nfct_filter *f, struct sock_filter *this) s = stack_create(sizeof(struct jump), 3 + 255); if (s == NULL) { errno = ENOMEM; - return -1; + return 0; } jt = 1; @@ -515,7 +520,7 @@ bsf_add_addr_ipv4_filter(const struct nfct_filter *f, s = stack_create(sizeof(struct jump), 3 + 127); if (s == NULL) { errno = ENOMEM; - return -1; + return 0; } jt = 1; @@ -600,7 +605,7 @@ bsf_add_addr_ipv6_filter(const struct nfct_filter *f, s = stack_create(sizeof(struct jump), 3 + 80); if (s == NULL) { errno = ENOMEM; - return -1; + return 0; } jf = 1; @@ -635,8 +640,8 @@ bsf_add_addr_ipv6_filter(const struct nfct_filter *f, j); if (k < 3) { j += nfct_bsf_cmp_k_stack_jf(this, ip, - jf - j - 1, - j, s); + (3 - k) * 3 + 1, + j, s); } else { /* last word: jump if true */ j += nfct_bsf_cmp_k_stack(this, ip, jf - j, @@ -650,7 +655,7 @@ bsf_add_addr_ipv6_filter(const struct nfct_filter *f, this[jmp.line].jt += jmp.jt + j; } if (jmp.jf) { - this[jmp.line].jf += jmp.jf + j; + this[jmp.line].jf += jmp.jf; } } @@ -699,7 +704,7 @@ bsf_add_mark_filter(const struct nfct_filter *f, struct sock_filter *this) s = stack_create(sizeof(struct jump), 3 + 127); if (s == NULL) { errno = ENOMEM; - return -1; + return 0; } jt = 1; @@ -778,7 +783,7 @@ int __setup_netlink_socket_filter(int fd, struct nfct_filter *f) show_filter(bsf, from, j, "---- final verdict ----"); from = j; - sf.len = (sizeof(struct sock_filter) * j) / sizeof(bsf[0]); + sf.len = j; sf.filter = bsf; return setsockopt(fd, SOL_SOCKET, SO_ATTACH_FILTER, &sf, sizeof(sf)); |