libnetfilter_conntrack branch, master, updated. libnetfilter_conntrack-0.0.101-6-g2cb1a08

Pablo Neira netfilter-cvslog-bounces at lists.netfilter.org
Wed Jul 7 15:52:43 CEST 2010


This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "libnetfilter_conntrack".

The branch, master has been updated
       via  2cb1a08254740ecd592c7917bb86c8234a34537e (commit)
      from  52161a61d1d0db2a9ca8ce652d7272dd4954c59f (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 2cb1a08254740ecd592c7917bb86c8234a34537e
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Wed Jul 7 15:33:14 2010 +0200

    bsf: fix filtering for several network address/mask
    
    This patch fixes kernel-space filtering via BSF for several
    network addresses. The problem is that we store the network
    address of the netlink message in the ALU. Then, we perform
    an AND of the network mask and the address, this operation
    is stored again in the ALU. If we compare the address with
    a second address, we have to reload the address to the ALU.
    
    The following example clarifies the problem, in the following
    order, we want to filter:
    
    1) 224.0.0.0/4
    2) 127.0.0.1/32
    
    Now, we receive traffic from 127.0.0.1, it should be filtered.
    However, without this patch, it is not. Let's see why:
    
    ALU   7f000001 (addr=127.0.0.1)
    AND   f0000000 (cidr=4)
    -------------------------------
    ALU   70000000
    
    this is stored in the ALU. Then, we check for 127.0.0.1:
    
    ALU   70000000 (addr=127.0.0.1) <-- it should be 7f000001
    AND   ffffffff (cidr=32)
    -------------------------------
    ALU   70000000
    
    This does not match 7f000001. To fix this, we have to reload
    7f000001 to the ALU. Thus, the second comparison works fine.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

-----------------------------------------------------------------------

Summary of changes:
 src/conntrack/bsf.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)


hooks/post-receive
-- 
libnetfilter_conntrack



More information about the netfilter-cvslog mailing list