diff options
| author | Florian Westphal <fw@strlen.de> | 2018-11-05 17:05:12 +0100 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2018-11-12 14:53:24 +0100 |
| commit | c0c75ce336e111f7b0fe08f7671ba2ae66ed630c (patch) | |
| tree | 2c42e72cd210df28c7114dd36ad017aa1f824702 /iptables | |
| parent | 3ac65afe058ef65eb343a1ffd1f9b448d96a7402 (diff) | |
arptables: fix -s/-d handling for negation and mask
also handle negations in other cases.
Still to be resolved: mask handling for other options such as hlen.
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'iptables')
| -rw-r--r-- | iptables/nft-arp.c | 20 |
1 files changed, 14 insertions, 6 deletions
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c index 675f0eb9..21adc5db 100644 --- a/iptables/nft-arp.c +++ b/iptables/nft-arp.c @@ -154,21 +154,24 @@ static int nft_arp_add(struct nftnl_rule *r, void *data) add_outiface(r, fw->arp.outiface, op); } - if (fw->arp.arhrd != 0) { + if (fw->arp.arhrd != 0 || + fw->arp.invflags & ARPT_INV_ARPHRD) { op = nft_invflags2cmp(fw->arp.invflags, ARPT_INV_ARPHRD); add_payload(r, offsetof(struct arphdr, ar_hrd), 2, NFT_PAYLOAD_NETWORK_HEADER); add_cmp_u16(r, fw->arp.arhrd, op); } - if (fw->arp.arpro != 0) { + if (fw->arp.arpro != 0 || + fw->arp.invflags & ARPT_INV_ARPPRO) { op = nft_invflags2cmp(fw->arp.invflags, ARPT_INV_ARPPRO); add_payload(r, offsetof(struct arphdr, ar_pro), 2, NFT_PAYLOAD_NETWORK_HEADER); add_cmp_u16(r, fw->arp.arpro, op); } - if (fw->arp.arhln != 0) { + if (fw->arp.arhln != 0 || + fw->arp.invflags & ARPT_INV_ARPHLN) { op = nft_invflags2cmp(fw->arp.invflags, ARPT_INV_ARPHLN); add_proto(r, offsetof(struct arphdr, ar_hln), 1, fw->arp.arhln, op); @@ -176,7 +179,8 @@ static int nft_arp_add(struct nftnl_rule *r, void *data) add_proto(r, offsetof(struct arphdr, ar_pln), 1, 4, NFT_CMP_EQ); - if (fw->arp.arpop != 0) { + if (fw->arp.arpop != 0 || + fw->arp.invflags & ARPT_INV_ARPOP) { op = nft_invflags2cmp(fw->arp.invflags, ARPT_INV_ARPOP); add_payload(r, offsetof(struct arphdr, ar_op), 2, NFT_PAYLOAD_NETWORK_HEADER); @@ -190,7 +194,9 @@ static int nft_arp_add(struct nftnl_rule *r, void *data) add_cmp_ptr(r, op, fw->arp.src_devaddr.addr, fw->arp.arhln); } - if (fw->arp.src.s_addr != 0) { + if (fw->arp.src.s_addr != 0 || + fw->arp.smsk.s_addr != 0 || + fw->arp.invflags & ARPT_INV_SRCIP) { op = nft_invflags2cmp(fw->arp.invflags, ARPT_INV_SRCIP); add_addr(r, sizeof(struct arphdr) + fw->arp.arhln, &fw->arp.src.s_addr, &fw->arp.smsk.s_addr, @@ -204,7 +210,9 @@ static int nft_arp_add(struct nftnl_rule *r, void *data) add_cmp_ptr(r, op, fw->arp.tgt_devaddr.addr, fw->arp.arhln); } - if (fw->arp.tgt.s_addr != 0) { + if (fw->arp.tgt.s_addr != 0 || + fw->arp.tmsk.s_addr != 0 || + fw->arp.invflags & ARPT_INV_TGTIP) { op = nft_invflags2cmp(fw->arp.invflags, ARPT_INV_TGTIP); add_addr(r, sizeof(struct arphdr) + fw->arp.arhln + sizeof(struct in_addr), &fw->arp.tgt.s_addr, &fw->arp.tmsk.s_addr, |