From d9e4d162d109458938dcd188eb5eb78bab90a898 Mon Sep 17 00:00:00 2001 From: Jeremy Sowden Date: Sun, 3 Sep 2023 18:10:09 +0100 Subject: conntrack: fix BPF for filtering IPv6 addresses Each address in the filter is matched one 32-bit word at a time. If any of the first three words don't match, we jump to the end of the filter. If the last word does match, we jump to the end of the filter. However, this is not right: it means that if any of the first three words of an address don't match, all subsequent addresses will be skipped. Instead, jump to the next address. Fix formatting of `nfct_bsf_cmp_k_stack`. Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=690676 Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1062 Fixes: dd73e5708cc2 ("bsf: add support for IPv6 address filtering") Signed-off-by: Jeremy Sowden Signed-off-by: Florian Westphal --- src/conntrack/bsf.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/conntrack/bsf.c b/src/conntrack/bsf.c index 35cc8b7..48fd4fa 100644 --- a/src/conntrack/bsf.c +++ b/src/conntrack/bsf.c @@ -163,7 +163,7 @@ struct jump { static int nfct_bsf_cmp_k_stack(struct sock_filter *this, int k, - int jump_true, int pos, struct stack *s) + int jump_true, int pos, struct stack *s) { struct sock_filter __code = { .code = BPF_JMP|BPF_JEQ|BPF_K, @@ -640,8 +640,8 @@ bsf_add_addr_ipv6_filter(const struct nfct_filter *f, j); if (k < 3) { j += nfct_bsf_cmp_k_stack_jf(this, ip, - jf - j - 1, - j, s); + (3 - k) * 3 + 1, + j, s); } else { /* last word: jump if true */ j += nfct_bsf_cmp_k_stack(this, ip, jf - j, @@ -655,7 +655,7 @@ bsf_add_addr_ipv6_filter(const struct nfct_filter *f, this[jmp.line].jt += jmp.jt + j; } if (jmp.jf) { - this[jmp.line].jf += jmp.jf + j; + this[jmp.line].jf += jmp.jf; } } -- cgit v1.2.3