<html>
    <head>
      <base href="https://bugzilla.netfilter.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - Incorrectly evaluated expression with negated ip saddr and negated ip daddr"
   href="https://bugzilla.netfilter.org/show_bug.cgi?id=1385">1385</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>Incorrectly evaluated expression with negated ip saddr and negated ip daddr
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>nftables
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>x86_64
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Debian GNU/Linux
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>P5
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>kernel
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>pablo@netfilter.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>spam.fa.ku@gmail.com
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Version 0.9.0 on Debian Buster (x86_64) as well as Raspbian Buster Lite (RPi
4B)

I noticed, that there an expression which contains both an ip daddr and an ip
saddr subexpression and both are negated, it seems as if only one of them needs
to match in order that the whole expression matches.

The following example triggers the bug:

define my_address = <IPv4 address>
define some_other_address = 1.2.3.4  

table ip filter {         
    chain output {                 
        type filter hook output priority 0; policy accept;

        ip saddr != $my_address drop
        ip saddr != $my_address ip daddr != $some_other_address log group 1
queue-threshold 1
    }
}

Because the first rule already drops all traffic which is not coming from
my_address, the second one, which contains the same condition, should never
match.
However, packets with source address = my_address can still be obtained in the
log (I used ulogd2).

The bug seems to be gone in higher versions (tested with 0.9.2 on
debian-testing).

This might be a somewhat special case, but because this is the version which is
supported by the current stable Debian and probably others, it might affect
some others as well.</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are watching all bug changes.</li>
      </ul>
    </body>
</html>