[Bug 873] New: iptables -I CHAIN -m conntrack ! --ctproto 0 is intended to produce an error message, but it doesn't (usually)

[bugzilla-daemon at netfilter.org]

https://bugzilla.netfilter.org/show_bug.cgi?id=873

           Summary: iptables -I CHAIN -m conntrack ! --ctproto 0 is
                    intended to produce an error message, but it doesn't
                    (usually)
           Product: iptables
           Version: 1.4.x
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: iptables
        AssignedTo: netfilter-buglog at lists.netfilter.org
        ReportedBy: quentin at armitage.org.uk
   Estimated Hours: 0.0


Created attachment 426
  --> https://bugzilla.netfilter.org/attachment.cgi?id=426
Patch to correct check for --ctproto 0

There are three issues in the code:
i) the check (sinfo->invflags & XT_INV_PROTO) is using the wrong mask
ii) in conntrack_mt_parse it is testing (info->invert_flags & XT_INV_PROTO)
before the invert bit has been set.
iii) the sense of the error message is the wrong way round

i) To get the error, ! -ctstatus XXX has to be specified, since XT_INV_PROTO ==
XT_CONNTRACK_STATUS
  e.g. iptables -I CHAIN -m conntrack ! --ctstatus ASSURED --ctproto 0 ...

iii) Unlike --proto 0 (where 0 means all protocols), in the conntrack match
--ctproto 0 appears to mean protocol 0, which can never be. Therefore --ctproto
0 could never match and ! --ctproto 0 will always match. Both of these should
be rejected, since the user clearly cannot be intending what was specified.

The attached patch resolves the issue, and also produces an error message if
--ctproto 0 is specified (as well as ! --ctproto 0 ), since --ctproto 0 will
never match, and ! --ctproto 0 will always match.

-- 
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.