diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2012-08-20 16:11:00 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2012-08-20 17:38:24 +0200 |
commit | 89de65dc184e7b7ed5bfededd647e190c3bf310a (patch) | |
tree | d929a771bf71f15fbe1d55c12911e658d30451df /src/expect/build_mnl.c | |
parent | 4b6df760e3b19ec522b66cbbb5b280fec7c0405b (diff) |
conntrack: fix BPF code for IPv6 filtering in case of NFCT_FILTER_LOGIC_POSITIVE
4b6df76 conntrack: fix autogenerated BPF code for IPv6 filtering aimed
to fix a bug the IPv6 BPF filtering. However, it didn't fix it for
NFCT_FILTER_LOGIC_POSITIVE case since jump is still miscalculated.
This chunk below shows the BPF code to filter IPv6 address 2:4:6::
{0x00020004, 0x00060000, 0x0, 0x0 } in case that NFCT_FILTER_LOGIC_POSITIVE
is used, ie. if that address matches, accept the event.
(0032) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=00000004
(0033) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff
(0034) code= BPF_JMP|BPF_JEQ|BPF_K jt=00 jf=09 k=00020004
[ this above compares second 4 bytes with 00020004, if comparison fails
it jumps to 003e ]
(0035) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=00000008
(0036) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff
(0037) code= BPF_JMP|BPF_JEQ|BPF_K jt=00 jf=06 k=00060000
[ this above compares second 4 bytes with 00060000, if comparison fails
it jumps to 003e ]
(0038) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=0000000c
(0039) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff
(003a) code= BPF_JMP|BPF_JEQ|BPF_K jt=00 jf=03 k=00000000
[ this above compares third 4 bytes with 00000000, if comparison fails
it jumps to 003e ]
(003b) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=00000010
(003c) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff
(003d) code= BPF_JMP|BPF_JEQ|BPF_K jt=01 jf=00 k=00000000
[ this above compares last 4 bytes with 00000000, if comparison succeded
it jumps to 003f, which means, accept event ]
(003e) code= BPF_RET|BPF_K jt=00 jf=00 k=00000000
---- final verdict ----
(003f) code= BPF_RET|BPF_K jt=00 jf=00 k=ffffffff
Just for the record: This chunk below shows the BPF code to filter IPv6
address 2:4:6:: {0x00020004, 0x00060000, 0x0, 0x0 } in case that
NFCT_FILTER_LOGIC_NEGATIVE is used, ie. if that address matches, drop
the event.
[...]
(0032) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=00000004
(0033) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff
(0034) code= BPF_JMP|BPF_JEQ|BPF_K jt=00 jf=09 k=00020004
[ this above compares first 4 bytes with 00020004, if comparison fails
it jumps to 003e ]
(0035) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=00000008
(0036) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff
(0037) code= BPF_JMP|BPF_JEQ|BPF_K jt=00 jf=06 k=00060000
[ this above compares second 4 bytes with 00060000, if comparison fails
it jumps to 003e ]
(0038) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=0000000c
(0039) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff
(003a) code= BPF_JMP|BPF_JEQ|BPF_K jt=00 jf=03 k=00000000
[ this above compares third 4 bytes with 00000000, if comparison fails
it jumps to 003e ]
(003b) code= BPF_LD|BPF_W|BPF_IND jt=00 jf=00 k=00000010
(003c) code= BPF_ALU|BPF_AND|BPF_K jt=00 jf=00 k=ffffffff
(003d) code= BPF_JMP|BPF_JEQ|BPF_K jt=01 jf=00 k=00000000
[ this above compares last 4 bytes with 00000000, if comparison succeded
it jumps to 003e ]
(003e) code= BPF_JMP|BPF_JA jt=00 jf=00 k=00000001
(003f) code= BPF_RET|BPF_K jt=00 jf=00 k=00000000
[ default action specified by 003e is to drop the event ]
Tested-by: Eric Leblond <eric@regit.org>
Reported-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/expect/build_mnl.c')
0 files changed, 0 insertions, 0 deletions