libnetfilter_conntrack branch, master, updated. libnetfilter_conntrack-0.0.101-6-g2cb1a08
Pablo Neira
netfilter-cvslog-bounces at lists.netfilter.org
Wed Jul 7 15:52:43 CEST 2010
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "libnetfilter_conntrack".
The branch, master has been updated
via 2cb1a08254740ecd592c7917bb86c8234a34537e (commit)
from 52161a61d1d0db2a9ca8ce652d7272dd4954c59f (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 2cb1a08254740ecd592c7917bb86c8234a34537e
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Wed Jul 7 15:33:14 2010 +0200
bsf: fix filtering for several network address/mask
This patch fixes kernel-space filtering via BSF for several
network addresses. The problem is that we store the network
address of the netlink message in the ALU. Then, we perform
an AND of the network mask and the address, this operation
is stored again in the ALU. If we compare the address with
a second address, we have to reload the address to the ALU.
The following example clarifies the problem, in the following
order, we want to filter:
1) 224.0.0.0/4
2) 127.0.0.1/32
Now, we receive traffic from 127.0.0.1, it should be filtered.
However, without this patch, it is not. Let's see why:
ALU 7f000001 (addr=127.0.0.1)
AND f0000000 (cidr=4)
-------------------------------
ALU 70000000
this is stored in the ALU. Then, we check for 127.0.0.1:
ALU 70000000 (addr=127.0.0.1) <-- it should be 7f000001
AND ffffffff (cidr=32)
-------------------------------
ALU 70000000
This does not match 7f000001. To fix this, we have to reload
7f000001 to the ALU. Thus, the second comparison works fine.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
-----------------------------------------------------------------------
Summary of changes:
src/conntrack/bsf.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
hooks/post-receive
--
libnetfilter_conntrack
More information about the netfilter-cvslog
mailing list