* [PATCH] netfilter: xt_connbytes: handle negation correctly
@ 2011-12-16 17:35 Florian Westphal
2011-12-23 13:51 ` Pablo Neira Ayuso
0 siblings, 1 reply; 3+ messages in thread
From: Florian Westphal @ 2011-12-16 17:35 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
"! --connbytes 23:42" should match if the packet/byte count is not in range.
As there is no explict "invert match" toggle in the match structure,
userspace swaps the from and to arguments
(i.e., as if "--connbytes 42:23" were given).
However, "what <= 23 && what >= 42" will always be false.
Change things so we use "||" in case "from" is larger than "to".
This change may look like it breaks backwards compatibility when "to" is 0.
However, older iptables binaries will refuse "connbytes 42:0",
and current releases treat it to mean "! --connbytes 0:42",
so we should be fine.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
net/netfilter/xt_connbytes.c | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/net/netfilter/xt_connbytes.c b/net/netfilter/xt_connbytes.c
index 5b13850..9ddf1c3 100644
--- a/net/netfilter/xt_connbytes.c
+++ b/net/netfilter/xt_connbytes.c
@@ -87,10 +87,10 @@ connbytes_mt(const struct sk_buff *skb, struct xt_action_param *par)
break;
}
- if (sinfo->count.to)
+ if (sinfo->count.to >= sinfo->count.from)
return what <= sinfo->count.to && what >= sinfo->count.from;
- else
- return what >= sinfo->count.from;
+ else /* inverted */
+ return what < sinfo->count.to || what > sinfo->count.from;
}
static int connbytes_mt_check(const struct xt_mtchk_param *par)
--
1.7.3.4
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] netfilter: xt_connbytes: handle negation correctly
2011-12-16 17:35 [PATCH] netfilter: xt_connbytes: handle negation correctly Florian Westphal
@ 2011-12-23 13:51 ` Pablo Neira Ayuso
0 siblings, 0 replies; 3+ messages in thread
From: Pablo Neira Ayuso @ 2011-12-23 13:51 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter-devel
On Fri, Dec 16, 2011 at 06:35:15PM +0100, Florian Westphal wrote:
> "! --connbytes 23:42" should match if the packet/byte count is not in range.
>
> As there is no explict "invert match" toggle in the match structure,
> userspace swaps the from and to arguments
> (i.e., as if "--connbytes 42:23" were given).
>
> However, "what <= 23 && what >= 42" will always be false.
>
> Change things so we use "||" in case "from" is larger than "to".
>
> This change may look like it breaks backwards compatibility when "to" is 0.
> However, older iptables binaries will refuse "connbytes 42:0",
> and current releases treat it to mean "! --connbytes 0:42",
> so we should be fine.
Applied, thanks Florian. I'll pass this for 3.2-rc inclusion.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Netfilter updates for 3.2-rc
@ 2011-12-23 14:04 pablo
2011-12-23 14:04 ` [PATCH] netfilter: xt_connbytes: handle negation correctly pablo
0 siblings, 1 reply; 3+ messages in thread
From: pablo @ 2011-12-23 14:04 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem
From: Pablo Neira Ayuso <pablo@netfilter.org>
Hi Dave,
Please, apply the following fix for the connbytes match from
Florian Westphal.
You can pull it from:
git://1984.lsi.us.es/net nf
Thanks!
P.S: Updates for net-next will come by this weekend.
Florian Westphal (1):
netfilter: xt_connbytes: handle negation correctly
net/netfilter/xt_connbytes.c | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
--
1.7.2.5
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH] netfilter: xt_connbytes: handle negation correctly
2011-12-23 14:04 Netfilter updates for 3.2-rc pablo
@ 2011-12-23 14:04 ` pablo
0 siblings, 0 replies; 3+ messages in thread
From: pablo @ 2011-12-23 14:04 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem
From: Florian Westphal <fw@strlen.de>
"! --connbytes 23:42" should match if the packet/byte count is not in range.
As there is no explict "invert match" toggle in the match structure,
userspace swaps the from and to arguments
(i.e., as if "--connbytes 42:23" were given).
However, "what <= 23 && what >= 42" will always be false.
Change things so we use "||" in case "from" is larger than "to".
This change may look like it breaks backwards compatibility when "to" is 0.
However, older iptables binaries will refuse "connbytes 42:0",
and current releases treat it to mean "! --connbytes 0:42",
so we should be fine.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/xt_connbytes.c | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/net/netfilter/xt_connbytes.c b/net/netfilter/xt_connbytes.c
index 5b13850..9ddf1c3 100644
--- a/net/netfilter/xt_connbytes.c
+++ b/net/netfilter/xt_connbytes.c
@@ -87,10 +87,10 @@ connbytes_mt(const struct sk_buff *skb, struct xt_action_param *par)
break;
}
- if (sinfo->count.to)
+ if (sinfo->count.to >= sinfo->count.from)
return what <= sinfo->count.to && what >= sinfo->count.from;
- else
- return what >= sinfo->count.from;
+ else /* inverted */
+ return what < sinfo->count.to || what > sinfo->count.from;
}
static int connbytes_mt_check(const struct xt_mtchk_param *par)
--
1.7.2.5
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2011-12-23 14:05 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-12-16 17:35 [PATCH] netfilter: xt_connbytes: handle negation correctly Florian Westphal
2011-12-23 13:51 ` Pablo Neira Ayuso
-- strict thread matches above, loose matches on Subject: below --
2011-12-23 14:04 Netfilter updates for 3.2-rc pablo
2011-12-23 14:04 ` [PATCH] netfilter: xt_connbytes: handle negation correctly pablo
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.