From 89de65dc184e7b7ed5bfededd647e190c3bf310a Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 20 Aug 2012 16:11:00 +0200
Subject: conntrack: fix BPF code for IPv6 filtering in case of
 NFCT_FILTER_LOGIC_POSITIVE

4b6df76 conntrack: fix autogenerated BPF code for IPv6 filtering aimed
to fix a bug the IPv6 BPF filtering. However, it didn't fix it for
NFCT_FILTER_LOGIC_POSITIVE case since jump is still miscalculated.

This chunk below shows the BPF code to filter IPv6 address 2:4:6::
{0x00020004, 0x00060000, 0x0, 0x0 } in case that NFCT_FILTER_LOGIC_POSITIVE
is used, ie. if that address matches, accept the event.

(0032) code=          BPF_LD|BPF_W|BPF_IND      jt=00 jf=00 k=00000004
(0033) code=         BPF_ALU|BPF_AND|BPF_K      jt=00 jf=00 k=ffffffff
(0034) code=         BPF_JMP|BPF_JEQ|BPF_K      jt=00 jf=09 k=00020004

[ this above compares second 4 bytes with 00020004, if comparison fails
  it jumps to 003e ]

(0035) code=          BPF_LD|BPF_W|BPF_IND      jt=00 jf=00 k=00000008
(0036) code=         BPF_ALU|BPF_AND|BPF_K      jt=00 jf=00 k=ffffffff
(0037) code=         BPF_JMP|BPF_JEQ|BPF_K      jt=00 jf=06 k=00060000

[ this above compares second 4 bytes with 00060000, if comparison fails
  it jumps to 003e ]

(0038) code=          BPF_LD|BPF_W|BPF_IND      jt=00 jf=00 k=0000000c
(0039) code=         BPF_ALU|BPF_AND|BPF_K      jt=00 jf=00 k=ffffffff
(003a) code=         BPF_JMP|BPF_JEQ|BPF_K      jt=00 jf=03 k=00000000

[ this above compares third 4 bytes with 00000000, if comparison fails
  it jumps to 003e ]

(003b) code=          BPF_LD|BPF_W|BPF_IND      jt=00 jf=00 k=00000010
(003c) code=         BPF_ALU|BPF_AND|BPF_K      jt=00 jf=00 k=ffffffff
(003d) code=         BPF_JMP|BPF_JEQ|BPF_K      jt=01 jf=00 k=00000000

[ this above compares last 4 bytes with 00000000, if comparison succeded
  it jumps to 003f, which means, accept event ]

(003e) code=                 BPF_RET|BPF_K      jt=00 jf=00 k=00000000
---- final verdict ----
(003f) code=                 BPF_RET|BPF_K      jt=00 jf=00 k=ffffffff

Just for the record: This chunk below shows the BPF code to filter IPv6
address 2:4:6:: {0x00020004, 0x00060000, 0x0, 0x0 } in case that
NFCT_FILTER_LOGIC_NEGATIVE is used, ie. if that address matches, drop
the event.

[...]
(0032) code=          BPF_LD|BPF_W|BPF_IND      jt=00 jf=00 k=00000004
(0033) code=         BPF_ALU|BPF_AND|BPF_K      jt=00 jf=00 k=ffffffff
(0034) code=         BPF_JMP|BPF_JEQ|BPF_K      jt=00 jf=09 k=00020004

[ this above compares first 4 bytes with 00020004, if comparison fails
  it jumps to 003e ]

(0035) code=          BPF_LD|BPF_W|BPF_IND      jt=00 jf=00 k=00000008
(0036) code=         BPF_ALU|BPF_AND|BPF_K      jt=00 jf=00 k=ffffffff
(0037) code=         BPF_JMP|BPF_JEQ|BPF_K      jt=00 jf=06 k=00060000

[ this above compares second 4 bytes with 00060000, if comparison fails
  it jumps to 003e ]

(0038) code=          BPF_LD|BPF_W|BPF_IND      jt=00 jf=00 k=0000000c
(0039) code=         BPF_ALU|BPF_AND|BPF_K      jt=00 jf=00 k=ffffffff
(003a) code=         BPF_JMP|BPF_JEQ|BPF_K      jt=00 jf=03 k=00000000

[ this above compares third 4 bytes with 00000000, if comparison fails
  it jumps to 003e ]

(003b) code=          BPF_LD|BPF_W|BPF_IND      jt=00 jf=00 k=00000010
(003c) code=         BPF_ALU|BPF_AND|BPF_K      jt=00 jf=00 k=ffffffff
(003d) code=         BPF_JMP|BPF_JEQ|BPF_K      jt=01 jf=00 k=00000000

[ this above compares last 4 bytes with 00000000, if comparison succeded
  it jumps to 003e ]

(003e) code=                BPF_JMP|BPF_JA      jt=00 jf=00 k=00000001
(003f) code=                 BPF_RET|BPF_K      jt=00 jf=00 k=00000000

[ default action specified by 003e is to drop the event ]

Tested-by: Eric Leblond <eric@regit.org>
Reported-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/conntrack/bsf.c | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

diff --git a/src/conntrack/bsf.c b/src/conntrack/bsf.c
index c14531e..534202f 100644
--- a/src/conntrack/bsf.c
+++ b/src/conntrack/bsf.c
@@ -562,7 +562,7 @@ bsf_add_addr_ipv6_filter(const struct nfct_filter *f,
 			 unsigned int type)
 {
 	unsigned int i, j, dir, attr;
-	unsigned int label_continue[2], jf;
+	unsigned int label_continue, jf;
 	struct stack *s;
 	struct jump jmp;
 
@@ -592,23 +592,21 @@ bsf_add_addr_ipv6_filter(const struct nfct_filter *f,
 
 	jf = 1;
 	if (f->logic[attr] == NFCT_FILTER_LOGIC_POSITIVE) {
-		label_continue[0] = 1;
-		label_continue[1] = 2;
+		label_continue = 1;
 	} else {
-		label_continue[0] = 2;
-		label_continue[1] = 1;
+		label_continue = 2;
 	}
 
 	j = 0;
 	j += nfct_bsf_load_payload_offset(this, j);
 	j += nfct_bsf_find_attr(this, CTA_TUPLE_ORIG, j);
-	j += nfct_bsf_cmp_k_stack(this, 0, label_continue[0] - j, j, s);
+	j += nfct_bsf_cmp_k_stack(this, 0, label_continue - j, j, s);
 	/* no need to access attribute payload, we are using nest-based finder
 	 * j += nfct_bsf_add_attr_data_offset(this, j); */
 	j += nfct_bsf_find_attr_nest(this, CTA_TUPLE_IP, j);
-	j += nfct_bsf_cmp_k_stack(this, 0, label_continue[0] - j, j, s);
+	j += nfct_bsf_cmp_k_stack(this, 0, label_continue - j, j, s);
 	j += nfct_bsf_find_attr_nest(this, type, j);
-	j += nfct_bsf_cmp_k_stack(this, 0, label_continue[0] - j, j, s);
+	j += nfct_bsf_cmp_k_stack(this, 0, label_continue - j, j, s);
 	j += nfct_bsf_x_equal_a(this, j);
 
 	for (i = 0; i < f->l3proto_elems_ipv6[dir]; i++) {
@@ -624,7 +622,7 @@ bsf_add_addr_ipv6_filter(const struct nfct_filter *f,
 					      j);
 			if (k < 3) {
 				j += nfct_bsf_cmp_k_stack_jf(this, ip,
-						jf - j - label_continue[1],
+						jf - j - 1,
 						j, s);
 			} else {
 				/* last word: jump if true */
-- 
cgit v1.2.3