summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2012-08-20 16:11:00 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2012-08-20 17:38:24 +0200
commit89de65dc184e7b7ed5bfededd647e190c3bf310a (patch)
treed929a771bf71f15fbe1d55c12911e658d30451df
parent4b6df760e3b19ec522b66cbbb5b280fec7c0405b (diff)
conntrack: fix BPF code for IPv6 filtering in case of NFCT_FILTER_LOGIC_POSITIVE
4b6df76 conntrack: fix autogenerated BPF code for IPv6 filtering aimed to fix a bug the IPv6 BPF filtering. However, it didn't fix it for NFCT_FILTER_LOGIC_POSITIVE case since jump is still miscalculated. This chunk below shows the BPF code to filter IPv6 address 2:4:6:: {0x00020004, 0x00060000, 0x0, 0x0 } in case that NFCT_FILTER_LOGIC_POSITIVE is used, ie. if that address matches, accept the event. (0032) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=00000004 (0033) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff (0034) code= BPF_JMP|BPF_JEQ|BPF_K jt=00 jf=09 k=00020004 [ this above compares second 4 bytes with 00020004, if comparison fails it jumps to 003e ] (0035) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=00000008 (0036) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff (0037) code= BPF_JMP|BPF_JEQ|BPF_K jt=00 jf=06 k=00060000 [ this above compares second 4 bytes with 00060000, if comparison fails it jumps to 003e ] (0038) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=0000000c (0039) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff (003a) code= BPF_JMP|BPF_JEQ|BPF_K jt=00 jf=03 k=00000000 [ this above compares third 4 bytes with 00000000, if comparison fails it jumps to 003e ] (003b) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=00000010 (003c) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff (003d) code= BPF_JMP|BPF_JEQ|BPF_K jt=01 jf=00 k=00000000 [ this above compares last 4 bytes with 00000000, if comparison succeded it jumps to 003f, which means, accept event ] (003e) code= BPF_RET|BPF_K jt=00 jf=00 k=00000000 ---- final verdict ---- (003f) code= BPF_RET|BPF_K jt=00 jf=00 k=ffffffff Just for the record: This chunk below shows the BPF code to filter IPv6 address 2:4:6:: {0x00020004, 0x00060000, 0x0, 0x0 } in case that NFCT_FILTER_LOGIC_NEGATIVE is used, ie. if that address matches, drop the event. [...] (0032) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=00000004 (0033) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff (0034) code= BPF_JMP|BPF_JEQ|BPF_K jt=00 jf=09 k=00020004 [ this above compares first 4 bytes with 00020004, if comparison fails it jumps to 003e ] (0035) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=00000008 (0036) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff (0037) code= BPF_JMP|BPF_JEQ|BPF_K jt=00 jf=06 k=00060000 [ this above compares second 4 bytes with 00060000, if comparison fails it jumps to 003e ] (0038) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=0000000c (0039) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff (003a) code= BPF_JMP|BPF_JEQ|BPF_K jt=00 jf=03 k=00000000 [ this above compares third 4 bytes with 00000000, if comparison fails it jumps to 003e ] (003b) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=00000010 (003c) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff (003d) code= BPF_JMP|BPF_JEQ|BPF_K jt=01 jf=00 k=00000000 [ this above compares last 4 bytes with 00000000, if comparison succeded it jumps to 003e ] (003e) code= BPF_JMP|BPF_JA jt=00 jf=00 k=00000001 (003f) code= BPF_RET|BPF_K jt=00 jf=00 k=00000000 [ default action specified by 003e is to drop the event ] Tested-by: Eric Leblond <eric@regit.org> Reported-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r--src/conntrack/bsf.c16
1 files changed, 7 insertions, 9 deletions
diff --git a/src/conntrack/bsf.c b/src/conntrack/bsf.c
index c14531e..534202f 100644
--- a/src/conntrack/bsf.c
+++ b/src/conntrack/bsf.c
@@ -562,7 +562,7 @@ bsf_add_addr_ipv6_filter(const struct nfct_filter *f,
unsigned int type)
{
unsigned int i, j, dir, attr;
- unsigned int label_continue[2], jf;
+ unsigned int label_continue, jf;
struct stack *s;
struct jump jmp;
@@ -592,23 +592,21 @@ bsf_add_addr_ipv6_filter(const struct nfct_filter *f,
jf = 1;
if (f->logic[attr] == NFCT_FILTER_LOGIC_POSITIVE) {
- label_continue[0] = 1;
- label_continue[1] = 2;
+ label_continue = 1;
} else {
- label_continue[0] = 2;
- label_continue[1] = 1;
+ label_continue = 2;
}
j = 0;
j += nfct_bsf_load_payload_offset(this, j);
j += nfct_bsf_find_attr(this, CTA_TUPLE_ORIG, j);
- j += nfct_bsf_cmp_k_stack(this, 0, label_continue[0] - j, j, s);
+ j += nfct_bsf_cmp_k_stack(this, 0, label_continue - j, j, s);
/* no need to access attribute payload, we are using nest-based finder
* j += nfct_bsf_add_attr_data_offset(this, j); */
j += nfct_bsf_find_attr_nest(this, CTA_TUPLE_IP, j);
- j += nfct_bsf_cmp_k_stack(this, 0, label_continue[0] - j, j, s);
+ j += nfct_bsf_cmp_k_stack(this, 0, label_continue - j, j, s);
j += nfct_bsf_find_attr_nest(this, type, j);
- j += nfct_bsf_cmp_k_stack(this, 0, label_continue[0] - j, j, s);
+ j += nfct_bsf_cmp_k_stack(this, 0, label_continue - j, j, s);
j += nfct_bsf_x_equal_a(this, j);
for (i = 0; i < f->l3proto_elems_ipv6[dir]; i++) {
@@ -624,7 +622,7 @@ bsf_add_addr_ipv6_filter(const struct nfct_filter *f,
j);
if (k < 3) {
j += nfct_bsf_cmp_k_stack_jf(this, ip,
- jf - j - label_continue[1],
+ jf - j - 1,
j, s);
} else {
/* last word: jump if true */