diff options
| author | Jeremy Sowden <jeremy@azazel.net> | 2024-11-18 13:56:50 +0000 |
|---|---|---|
| committer | Phil Sutter <phil@nwl.cc> | 2024-11-19 23:46:34 +0100 |
| commit | 40406dbfaefbc204134452b2747bae4f6a122848 (patch) | |
| tree | 473ffdb58a20f5f84259f435f4012aeb400a7ba1 /libiptc | |
| parent | e6e232d0ae252b0b86278455b18d9475b95db8f0 (diff) | |
nft: fix interface comparisons in `-C` commands
Commit 9ccae6397475 ("nft: Leave interface masks alone when parsing from
kernel") removed code which explicitly set interface masks to all ones. The
result of this is that they are zero. However, they are used to mask interfaces
in `is_same_interfaces`. Consequently, the masked values are alway zero, the
comparisons are always true, and check commands which ought to fail succeed:
# iptables -N test
# iptables -A test -i lo \! -o lo -j REJECT
# iptables -v -L test
Chain test (0 references)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- lo !lo anywhere anywhere reject-with icmp-port-unreachable
# iptables -v -C test -i abcdefgh \! -o abcdefgh -j REJECT
REJECT all opt -- in lo out !lo 0.0.0.0/0 -> 0.0.0.0/0 reject-with icmp-port-unreachable
Remove the mask parameters from `is_same_interfaces`. Add a test-case.
Fixes: 9ccae6397475 ("nft: Leave interface masks alone when parsing from kernel")
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Phil Sutter <phil@nwl.cc>
Diffstat (limited to 'libiptc')
0 files changed, 0 insertions, 0 deletions