From: Yanchuan Nian <ycnian@gmail.com>
To: Patrick McHardy <kaber@trash.net>
Cc: pablo@netfilter.org, netfilter-devel@vger.kernel.org
Subject: Re: [nft PATCH] Kill the correct protocol expression during payload parsing
Date: Mon, 1 Sep 2014 09:49:53 +0800 [thread overview]
Message-ID: <20140901014953.GA25997@localhost.localdomain> (raw)
In-Reply-To: <20140830105249.GB25373@acer.localdomain>
On Sat, Aug 30, 2014 at 11:52:49AM +0100, Patrick McHardy wrote:
> On Sat, Aug 30, 2014 at 01:17:15PM +0800, Yanchuan Nian wrote:
> > The protocol expression that should be killed when payload parsing
> > isn't the first one but the last one. Look at the result of this command:
>
> That patch is competely wrong. Have you actually tested any other case?
> You're simply not killing any payload dependency anymore.
>
> The correct fix is to check for OP_NEQ and deciding not to kill it based
> on that.
>
Hi Patrick, Thanks to your replay. Yes, this patch is wrong. It was
careless of me forgetting to test it. I am sorry and I will try to fix
it. Thank you again.
> >
> > nft> add rule ip filter input ip protocol != tcp tcp sport 80 drop
> > nft> list table ip filter
> > table ip filter {
> > chain input {
> > type filter hook input priority 0;
> > ip protocol tcp tcp sport http drop
> > }
> > }
> > nft>
> >
> > With this patch, the result is:
> > nft> add rule ip filter input ip protocol != tcp tcp sport 80 drop
> > nft> list table ip filter
> > table ip filter {
> > chain input {
> > type filter hook input priority 0;
> > ip protocol != tcp tcp sport http drop
> > }
> > }
> > nft>
> >
> > Signed-off-by: Yanchuan Nian <ycnian@gmail.com>
> > ---
> > src/netlink_delinearize.c | 5 ++---
> > 1 file changed, 2 insertions(+), 3 deletions(-)
> >
> > diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
> > index 195d432..322c7cc 100644
> > --- a/src/netlink_delinearize.c
> > +++ b/src/netlink_delinearize.c
> > @@ -671,12 +671,11 @@ static void payload_match_postprocess(struct rule_pp_ctx *ctx,
> > nstmt = expr_stmt_alloc(&stmt->location, nexpr);
> > list_add_tail(&nstmt->list, &stmt->list);
> >
> > - /* Remember the first payload protocol expression to
> > + /* Remember the last payload protocol expression to
> > * kill it later on if made redundant by a higher layer
> > * payload expression.
> > */
> > - if (ctx->pbase == PROTO_BASE_INVALID &&
> > - left->flags & EXPR_F_PROTOCOL)
> > + if (left->flags & EXPR_F_PROTOCOL)
> > payload_dependency_store(ctx, nstmt,
> > left->payload.base);
> > else
> > --
> > 1.9.3
> >
>
prev parent reply other threads:[~2014-09-01 1:47 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-08-30 5:17 [nft PATCH] Kill the correct protocol expression during payload parsing Yanchuan Nian
2014-08-30 10:52 ` Patrick McHardy
2014-09-01 1:49 ` Yanchuan Nian [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140901014953.GA25997@localhost.localdomain \
--to=ycnian@gmail.com \
--cc=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.