diff options
author | Jeremy Sowden <jeremy@azazel.net> | 2020-01-06 22:35:10 +0000 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-01-08 23:33:09 +0100 |
commit | 6a2a56fcb81cf2e5ef46d37001810b82a56a42a5 (patch) | |
tree | ac18a17ebb9ec70685de63583ce21a7e3eb62a09 /autogen.sh | |
parent | c1ce4072b72e34300bd7bb406652a60f62384fc8 (diff) |
evaluate: fix expr_set_context call for shift binops.
expr_evaluate_binop calls expr_set_context for shift expressions to set
the context data-type to `integer`. This clobbers the byte-order of the
context, resulting in unexpected conversions to NBO. For example:
$ sudo nft flush ruleset
$ sudo nft add table t
$ sudo nft add chain t c '{ type filter hook output priority mangle; }'
$ sudo nft add rule t c oif lo tcp dport ssh ct mark set '0x10 | 0xe'
$ sudo nft add rule t c oif lo tcp dport ssh ct mark set '0xf << 1'
$ sudo nft list table t
table ip t {
chain c {
type filter hook output priority mangle; policy accept;
oif "lo" tcp dport 22 ct mark set 0x0000001e
oif "lo" tcp dport 22 ct mark set 0x1e000000
}
}
Replace it with a call to __expr_set_context and set the byteorder to
that of the left operand since this is the value being shifted.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'autogen.sh')
0 files changed, 0 insertions, 0 deletions