diff options
author | Giuseppe Longo <giuseppelng@gmail.com> | 2014-08-22 11:16:31 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-08-24 15:29:47 +0200 |
commit | d579c3cba69ec958ca93216a77f15acfa1487e09 (patch) | |
tree | f78711526ba6e99e9dcd8dd9c792f192cf8240ba /iptables/nft-ipv6.c | |
parent | b772c3f24f75e586e406675e4b0b79eabfe3375e (diff) |
nft: compare layer 4 protocol in first place
Currently the protocol is tested after the ip address,
this fixes the order testing the protocol before the ip address.
Now the code generated is incorrect:
ip filter INPUT 16
[ payload load 4b @ network header + 12 => reg 1 ]
[ cmp eq reg 1 0x0100a8c0 ]
[ payload load 1b @ network header + 9 => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ match name tcp rev 0 ]
[ match name conntrack rev 3 ]
[ counter pkts 0 bytes 0 ]
[ immediate reg 0 accept ]
With this patch, the code generated is:
ip filter INPUT 16
[ payload load 1b @ network header + 9 => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ payload load 4b @ network header + 12 => reg 1 ]
[ cmp eq reg 1 0x0100a8c0 ]
[ bitwise reg 1 = (reg=1 & 0xffffffff ) ^ 0x00000000 ]
[ match name tcp rev 0 ]
[ match name conntrack rev 3 ]
[ counter pkts 0 bytes 0 ]
[ immediate reg 0 accept ]
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'iptables/nft-ipv6.c')
-rw-r--r-- | iptables/nft-ipv6.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c index 00f1bf8e..52de5b69 100644 --- a/iptables/nft-ipv6.c +++ b/iptables/nft-ipv6.c @@ -34,6 +34,10 @@ static int nft_ipv6_add(struct nft_rule *r, void *data) if (cs->fw6.ipv6.outiface[0] != '\0') add_outiface(r, cs->fw6.ipv6.outiface, cs->fw6.ipv6.invflags); + if (cs->fw6.ipv6.proto != 0) + add_proto(r, offsetof(struct ip6_hdr, ip6_nxt), 1, + cs->fw6.ipv6.proto, cs->fw6.ipv6.invflags); + if (!IN6_IS_ADDR_UNSPECIFIED(&cs->fw6.ipv6.src)) add_addr(r, offsetof(struct ip6_hdr, ip6_src), &cs->fw6.ipv6.src, 16, cs->fw6.ipv6.invflags); @@ -42,10 +46,6 @@ static int nft_ipv6_add(struct nft_rule *r, void *data) add_addr(r, offsetof(struct ip6_hdr, ip6_dst), &cs->fw6.ipv6.dst, 16, cs->fw6.ipv6.invflags); - if (cs->fw6.ipv6.proto != 0) - add_proto(r, offsetof(struct ip6_hdr, ip6_nxt), 1, - cs->fw6.ipv6.proto, cs->fw6.ipv6.invflags); - add_compat(r, cs->fw6.ipv6.proto, cs->fw6.ipv6.invflags); for (matchp = cs->matches; matchp; matchp = matchp->next) { |