<html>

    <head>

      <base href="https://bugzilla.netfilter.org/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - Incorrectly evaluated expression with negated ip saddr and negated ip daddr"

   href="https://bugzilla.netfilter.org/show_bug.cgi?id=1385">1385</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>Incorrectly evaluated expression with negated ip saddr and negated ip daddr

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>nftables

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>unspecified

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>x86_64

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Debian GNU/Linux

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P5

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>kernel

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>pablo@netfilter.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>spam.fa.ku@gmail.com

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Version 0.9.0 on Debian Buster (x86_64) as well as Raspbian Buster Lite (RPi

4B)

I noticed, that there an expression which contains both an ip daddr and an ip

saddr subexpression and both are negated, it seems as if only one of them needs

to match in order that the whole expression matches.

The following example triggers the bug:

define my_address = <IPv4 address>

define some_other_address = 1.2.3.4  

table ip filter {         

    chain output {                 

        type filter hook output priority 0; policy accept;

        ip saddr != $my_address drop

        ip saddr != $my_address ip daddr != $some_other_address log group 1

queue-threshold 1

    }

}

Because the first rule already drops all traffic which is not coming from

my_address, the second one, which contains the same condition, should never

match.

However, packets with source address = my_address can still be obtained in the

log (I used ulogd2).

The bug seems to be gone in higher versions (tested with 0.9.2 on

debian-testing).

This might be a somewhat special case, but because this is the version which is

supported by the current stable Debian and probably others, it might affect

some others as well.</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are watching all bug changes.</li>

      </ul>

    </body>

</html>