| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
Analogous to XTTYPE_UINT*RC value parsing, assert consecutive port
values are not lower than previous ones.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
| |
Extensions commonly require the upper range value to be larger or equal
to the lower one. Performing this check in the parser is easier and
covers all extensions at once.
One notable exception is NFQUEUE which requires strict monotonicity.
Hence leave its checks in place.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
| |
For every extension option accepting a range, test open and half-open as
well as single element and invalid (negative) ranges.
The added tests merely reflect the status quo, not the expected outcome.
Following patches will fix results and the already existing test cases
highlight the fixes' effects.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are three issues in the code:
1) the check (sinfo->invflags & XT_INV_PROTO) is using the wrong mask
2) in conntrack_mt_parse it is testing (info->invert_flags &
XT_INV_PROTO) before the invert bit has been set.
3) the sense of the error message is the wrong way round
1) To get the error, ! -ctstatus XXX has to be specified, since
XT_INV_PROTO == XT_CONNTRACK_STATUS e.g.
| iptables -I CHAIN -m conntrack ! --ctstatus ASSURED --ctproto 0 ...
3) Unlike --proto 0 (where 0 means all protocols), in the conntrack
match --ctproto 0 appears to mean protocol 0, which can never be.
Therefore --ctproto 0 could never match and ! --ctproto 0 will always
match. Both of these should be rejected, since the user clearly
cannot be intending what was specified.
The attached patch resolves the issue, and also produces an error
message if --ctproto 0 is specified (as well as ! --ctproto 0 ), since
--ctproto 0 will never match, and ! --ctproto 0 will always match.
[Phil: - Added Fixes: tag - it's a day 1 bug
- Copied patch description from Bugzilla
- Reorganized changes to reduce diff
- Added test cases]
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=874
Fixes: 5054e85be3068 ("general conntrack match module userspace support files")
Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|