diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2012-08-20 16:11:00 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2012-08-20 17:38:24 +0200 |
commit | 89de65dc184e7b7ed5bfededd647e190c3bf310a (patch) | |
tree | d929a771bf71f15fbe1d55c12911e658d30451df /src/conntrack | |
parent | 4b6df760e3b19ec522b66cbbb5b280fec7c0405b (diff) |
conntrack: fix BPF code for IPv6 filtering in case of NFCT_FILTER_LOGIC_POSITIVE
4b6df76 conntrack: fix autogenerated BPF code for IPv6 filtering aimed
to fix a bug the IPv6 BPF filtering. However, it didn't fix it for
NFCT_FILTER_LOGIC_POSITIVE case since jump is still miscalculated.
This chunk below shows the BPF code to filter IPv6 address 2:4:6::
{0x00020004, 0x00060000, 0x0, 0x0 } in case that NFCT_FILTER_LOGIC_POSITIVE
is used, ie. if that address matches, accept the event.
(0032) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=00000004
(0033) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff
(0034) code= BPF_JMP|BPF_JEQ|BPF_K jt=00 jf=09 k=00020004
[ this above compares second 4 bytes with 00020004, if comparison fails
it jumps to 003e ]
(0035) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=00000008
(0036) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff
(0037) code= BPF_JMP|BPF_JEQ|BPF_K jt=00 jf=06 k=00060000
[ this above compares second 4 bytes with 00060000, if comparison fails
it jumps to 003e ]
(0038) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=0000000c
(0039) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff
(003a) code= BPF_JMP|BPF_JEQ|BPF_K jt=00 jf=03 k=00000000
[ this above compares third 4 bytes with 00000000, if comparison fails
it jumps to 003e ]
(003b) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=00000010
(003c) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff
(003d) code= BPF_JMP|BPF_JEQ|BPF_K jt=01 jf=00 k=00000000
[ this above compares last 4 bytes with 00000000, if comparison succeded
it jumps to 003f, which means, accept event ]
(003e) code= BPF_RET|BPF_K jt=00 jf=00 k=00000000
---- final verdict ----
(003f) code= BPF_RET|BPF_K jt=00 jf=00 k=ffffffff
Just for the record: This chunk below shows the BPF code to filter IPv6
address 2:4:6:: {0x00020004, 0x00060000, 0x0, 0x0 } in case that
NFCT_FILTER_LOGIC_NEGATIVE is used, ie. if that address matches, drop
the event.
[...]
(0032) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=00000004
(0033) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff
(0034) code= BPF_JMP|BPF_JEQ|BPF_K jt=00 jf=09 k=00020004
[ this above compares first 4 bytes with 00020004, if comparison fails
it jumps to 003e ]
(0035) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=00000008
(0036) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff
(0037) code= BPF_JMP|BPF_JEQ|BPF_K jt=00 jf=06 k=00060000
[ this above compares second 4 bytes with 00060000, if comparison fails
it jumps to 003e ]
(0038) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=0000000c
(0039) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff
(003a) code= BPF_JMP|BPF_JEQ|BPF_K jt=00 jf=03 k=00000000
[ this above compares third 4 bytes with 00000000, if comparison fails
it jumps to 003e ]
(003b) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=00000010
(003c) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff
(003d) code= BPF_JMP|BPF_JEQ|BPF_K jt=01 jf=00 k=00000000
[ this above compares last 4 bytes with 00000000, if comparison succeded
it jumps to 003e ]
(003e) code= BPF_JMP|BPF_JA jt=00 jf=00 k=00000001
(003f) code= BPF_RET|BPF_K jt=00 jf=00 k=00000000
[ default action specified by 003e is to drop the event ]
Tested-by: Eric Leblond <eric@regit.org>
Reported-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/conntrack')
-rw-r--r-- | src/conntrack/bsf.c | 16 |
1 files changed, 7 insertions, 9 deletions
diff --git a/src/conntrack/bsf.c b/src/conntrack/bsf.c index c14531e..534202f 100644 --- a/src/conntrack/bsf.c +++ b/src/conntrack/bsf.c @@ -562,7 +562,7 @@ bsf_add_addr_ipv6_filter(const struct nfct_filter *f, unsigned int type) { unsigned int i, j, dir, attr; - unsigned int label_continue[2], jf; + unsigned int label_continue, jf; struct stack *s; struct jump jmp; @@ -592,23 +592,21 @@ bsf_add_addr_ipv6_filter(const struct nfct_filter *f, jf = 1; if (f->logic[attr] == NFCT_FILTER_LOGIC_POSITIVE) { - label_continue[0] = 1; - label_continue[1] = 2; + label_continue = 1; } else { - label_continue[0] = 2; - label_continue[1] = 1; + label_continue = 2; } j = 0; j += nfct_bsf_load_payload_offset(this, j); j += nfct_bsf_find_attr(this, CTA_TUPLE_ORIG, j); - j += nfct_bsf_cmp_k_stack(this, 0, label_continue[0] - j, j, s); + j += nfct_bsf_cmp_k_stack(this, 0, label_continue - j, j, s); /* no need to access attribute payload, we are using nest-based finder * j += nfct_bsf_add_attr_data_offset(this, j); */ j += nfct_bsf_find_attr_nest(this, CTA_TUPLE_IP, j); - j += nfct_bsf_cmp_k_stack(this, 0, label_continue[0] - j, j, s); + j += nfct_bsf_cmp_k_stack(this, 0, label_continue - j, j, s); j += nfct_bsf_find_attr_nest(this, type, j); - j += nfct_bsf_cmp_k_stack(this, 0, label_continue[0] - j, j, s); + j += nfct_bsf_cmp_k_stack(this, 0, label_continue - j, j, s); j += nfct_bsf_x_equal_a(this, j); for (i = 0; i < f->l3proto_elems_ipv6[dir]; i++) { @@ -624,7 +622,7 @@ bsf_add_addr_ipv6_filter(const struct nfct_filter *f, j); if (k < 3) { j += nfct_bsf_cmp_k_stack_jf(this, ip, - jf - j - label_continue[1], + jf - j - 1, j, s); } else { /* last word: jump if true */ |