[Bug 874] New: Any conntrack conditions specified with --ctstate INVALID are not checked

Sat Nov 23 13:44:52 CET 2013

https://bugzilla.netfilter.org/show_bug.cgi?id=874

           Summary: Any conntrack conditions specified with --ctstate
                    INVALID are not checked
           Product: iptables
           Version: 1.4.x
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: iptables
        AssignedTo: netfilter-buglog at lists.netfilter.org
        ReportedBy: quentin at armitage.org.uk
   Estimated Hours: 0.0

Created attachment 427
  --> https://bugzilla.netfilter.org/attachment.cgi?id=427
Patch to not allow any other conntrack matches with ctstate INVALID

In the kernel net/netfilter/xt_conntrack.c function conntrack_mt, if there is
no conntrack entry, the state is considered invalid. Then, a further check for
no conntrack entry causes a return, before any other checks are made.

An example is:
iptables -A CHAIN -m conntrack --ctstate INVALID --ctproto tcp
which would match a udp packet (or any other protocol), and could cause
considerable confusion.

To circumvent the problem of matches being specified, but that are not checked,
if the state match is a positive match of INVALID, do not allow any other
conntrack tests.

The attached patch adds the test suggested.

-- 
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.