[Bug 1062] Kernel IPv6 event filtering not working
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Sun Sep 3 18:37:06 CEST 2023
https://bugzilla.netfilter.org/show_bug.cgi?id=1062
--- Comment #2 from Jeremy Sowden <jeremy at azazel.net> ---
In the ipv4 case:
for (i = 0; i < f->l3proto_elems[dir]; i++) {
int ip = f->l3proto[dir][i].addr & f->l3proto[dir][i].mask;
j += nfct_bsf_load_attr(this, BPF_W, j);
j += nfct_bsf_alu_and(this, f->l3proto[dir][i].mask, j);
j += nfct_bsf_cmp_k_stack(this, ip, jt - j, j, s);
}
there is one comparison per address and if it matches we jump to the end of the
filter.
In the ipv6 case:
for (i = 0; i < f->l3proto_elems_ipv6[dir]; i++) {
int k, offset;
for (k = 0, offset = 0; k < 4; k++, offset += 4) {
int ip = f->l3proto_ipv6[dir][i].addr[k] &
f->l3proto_ipv6[dir][i].mask[k];
j += nfct_bsf_load_attr_offset(this, BPF_W, offset, j);
j += nfct_bsf_alu_and(this,
f->l3proto_ipv6[dir][i].mask[k],
j);
if (k < 3) {
j += nfct_bsf_cmp_k_stack_jf(this, ip,
jf - j - 1,
j, s);
} else {
/* last word: jump if true */
j += nfct_bsf_cmp_k_stack(this, ip, jf - j,
j, s);
}
}
}
there are four comparisons per address. The last comparison, as before, jumps
to the end of the filter if there is a match. The problem is that the first
three comparisons jump to the end of the filter if there _isn't_ a match, when
what we should do is jump to the next address in the filter.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230903/0becd6a7/attachment.html>
More information about the netfilter-buglog
mailing list