[Bug 1385] New: Incorrectly evaluated expression with negated ip saddr and negated ip daddr
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Wed Dec 4 01:53:47 CET 2019
https://bugzilla.netfilter.org/show_bug.cgi?id=1385
Bug ID: 1385
Summary: Incorrectly evaluated expression with negated ip saddr
and negated ip daddr
Product: nftables
Version: unspecified
Hardware: x86_64
OS: Debian GNU/Linux
Status: NEW
Severity: normal
Priority: P5
Component: kernel
Assignee: pablo at netfilter.org
Reporter: spam.fa.ku at gmail.com
Version 0.9.0 on Debian Buster (x86_64) as well as Raspbian Buster Lite (RPi
4B)
I noticed, that there an expression which contains both an ip daddr and an ip
saddr subexpression and both are negated, it seems as if only one of them needs
to match in order that the whole expression matches.
The following example triggers the bug:
define my_address = <IPv4 address>
define some_other_address = 1.2.3.4
table ip filter {
chain output {
type filter hook output priority 0; policy accept;
ip saddr != $my_address drop
ip saddr != $my_address ip daddr != $some_other_address log group 1
queue-threshold 1
}
}
Because the first rule already drops all traffic which is not coming from
my_address, the second one, which contains the same condition, should never
match.
However, packets with source address = my_address can still be obtained in the
log (I used ulogd2).
The bug seems to be gone in higher versions (tested with 0.9.2 on
debian-testing).
This might be a somewhat special case, but because this is the version which is
supported by the current stable Debian and probably others, it might affect
some others as well.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20191204/b2b5366e/attachment.html>
More information about the netfilter-buglog
mailing list