diff options
| author | Phil Sutter <phil@nwl.cc> | 2018-08-09 18:06:56 +0200 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2018-08-09 21:54:17 +0200 |
| commit | 9ca32c40ed4f0648893989c1e5d03e9fecc501ae (patch) | |
| tree | d7c284ad9cc1c35821e8d23468b79670dacc59d2 | |
| parent | e055aebe63c5d12be8e58e1dc5a5a018c3adf2ac (diff) | |
xtables: Don't pass full invflags to add_compat()
The function expects a boolean, not a bitfield. This bug caused
inversion in another match to carry over to protocol match by accident.
The supplied testcase contains rules which then fail because they
contain matches requiring that protocol.
Fixes: 4ef77b6d1b52e ("xtables: fix missing protocol and invflags")
Fixes: 4143a08819a07 ("ebtables-compat: add nft rule compat information to bridge rules")
Signed-off-by: Phil Sutter <phil@nwl.cc>
| -rw-r--r-- | iptables/nft-bridge.c | 2 | ||||
| -rw-r--r-- | iptables/nft-ipv4.c | 2 | ||||
| -rw-r--r-- | iptables/nft-ipv6.c | 2 | ||||
| -rwxr-xr-x | iptables/tests/shell/testcases/nft-only/0002invflags_0 | 10 |
4 files changed, 13 insertions, 3 deletions
diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c index 386da869..7dcc0c1a 100644 --- a/iptables/nft-bridge.c +++ b/iptables/nft-bridge.c @@ -222,7 +222,7 @@ static int nft_bridge_add(struct nftnl_rule *r, void *data) add_cmp_u16(r, fw->ethproto, op); } - add_compat(r, fw->ethproto, fw->invflags); + add_compat(r, fw->ethproto, fw->invflags & EBT_IPROTO); for (iter = cs->match_list; iter; iter = iter->next) { if (iter->ismatch) { diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c index eaf861d1..4f31a516 100644 --- a/iptables/nft-ipv4.c +++ b/iptables/nft-ipv4.c @@ -75,7 +75,7 @@ static int nft_ipv4_add(struct nftnl_rule *r, void *data) add_cmp_u16(r, 0, op); } - add_compat(r, cs->fw.ip.proto, cs->fw.ip.invflags); + add_compat(r, cs->fw.ip.proto, cs->fw.ip.invflags & XT_INV_PROTO); for (matchp = cs->matches; matchp; matchp = matchp->next) { /* Use nft built-in comments support instead of comment match */ diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c index fa5b8c89..c651b16d 100644 --- a/iptables/nft-ipv6.c +++ b/iptables/nft-ipv6.c @@ -60,7 +60,7 @@ static int nft_ipv6_add(struct nftnl_rule *r, void *data) &cs->fw6.ipv6.dst, &cs->fw6.ipv6.dmsk, sizeof(struct in6_addr), op); } - add_compat(r, cs->fw6.ipv6.proto, cs->fw6.ipv6.invflags); + add_compat(r, cs->fw6.ipv6.proto, cs->fw6.ipv6.invflags & XT_INV_PROTO); for (matchp = cs->matches; matchp; matchp = matchp->next) { /* Use nft built-in comments support instead of comment match */ diff --git a/iptables/tests/shell/testcases/nft-only/0002invflags_0 b/iptables/tests/shell/testcases/nft-only/0002invflags_0 new file mode 100755 index 00000000..406b6081 --- /dev/null +++ b/iptables/tests/shell/testcases/nft-only/0002invflags_0 @@ -0,0 +1,10 @@ +#!/bin/sh + +set -e + +[[ $XT_MULTI == */xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } + +$XT_MULTI iptables -A INPUT -p tcp --dport 53 ! -s 192.168.0.1 -j ACCEPT +$XT_MULTI ip6tables -A INPUT -p tcp --dport 53 ! -s feed:babe::1 -j ACCEPT +$XT_MULTI ebtables -A INPUT -p IPv4 --ip-src 10.0.0.1 ! -i lo -j ACCEPT + |