<html>
<head>
<base href="https://bugzilla.netfilter.org/" />
</head>
<body>
<p>
<div>
<b><a class="bz_bug_link
bz_status_NEW "
title="NEW - Kernel IPv6 event filtering not working"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1062#c2">Comment # 2</a>
on <a class="bz_bug_link
bz_status_NEW "
title="NEW - Kernel IPv6 event filtering not working"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1062">bug 1062</a>
from <span class="vcard"><a class="email" href="mailto:jeremy@azazel.net" title="Jeremy Sowden <jeremy@azazel.net>"> <span class="fn">Jeremy Sowden</span></a>
</span></b>
<pre>In the ipv4 case:
for (i = 0; i < f->l3proto_elems[dir]; i++) {
int ip = f->l3proto[dir][i].addr & f->l3proto[dir][i].mask;
j += nfct_bsf_load_attr(this, BPF_W, j);
j += nfct_bsf_alu_and(this, f->l3proto[dir][i].mask, j);
j += nfct_bsf_cmp_k_stack(this, ip, jt - j, j, s);
}
there is one comparison per address and if it matches we jump to the end of the
filter.
In the ipv6 case:
for (i = 0; i < f->l3proto_elems_ipv6[dir]; i++) {
int k, offset;
for (k = 0, offset = 0; k < 4; k++, offset += 4) {
int ip = f->l3proto_ipv6[dir][i].addr[k] &
f->l3proto_ipv6[dir][i].mask[k];
j += nfct_bsf_load_attr_offset(this, BPF_W, offset, j);
j += nfct_bsf_alu_and(this,
f->l3proto_ipv6[dir][i].mask[k],
j);
if (k < 3) {
j += nfct_bsf_cmp_k_stack_jf(this, ip,
jf - j - 1,
j, s);
} else {
/* last word: jump if true */
j += nfct_bsf_cmp_k_stack(this, ip, jf - j,
j, s);
}
}
}
there are four comparisons per address. The last comparison, as before, jumps
to the end of the filter if there is a match. The problem is that the first
three comparisons jump to the end of the filter if there _isn't_ a match, when
what we should do is jump to the next address in the filter.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are watching all bug changes.</li>
</ul>
</body>
</html>