git.ipfire.org Git - thirdparty/iptables.git/commit

author	Jeremy Sowden <jeremy@azazel.net>
	Mon, 18 Nov 2024 13:56:50 +0000 (13:56 +0000)
committer	Phil Sutter <phil@nwl.cc>
	Tue, 19 Nov 2024 22:46:34 +0000 (23:46 +0100)
commit	40406dbfaefbc204134452b2747bae4f6a122848
tree	473ffdb58a20f5f84259f435f4012aeb400a7ba1	tree
parent	e6e232d0ae252b0b86278455b18d9475b95db8f0	commit \| diff

nft: fix interface comparisons in `-C` commands

Commit 9ccae6397475 ("nft: Leave interface masks alone when parsing from
kernel") removed code which explicitly set interface masks to all ones.  The
result of this is that they are zero.  However, they are used to mask interfaces
in `is_same_interfaces`.  Consequently, the masked values are alway zero, the
comparisons are always true, and check commands which ought to fail succeed:

  # iptables -N test
  # iptables -A test -i lo \! -o lo -j REJECT
  # iptables -v -L test
  Chain test (0 references)
   pkts bytes target     prot opt in     out     source               destination
      0     0 REJECT     all  --  lo     !lo     anywhere             anywhere             reject-with icmp-port-unreachable
  # iptables -v -C test -i abcdefgh \! -o abcdefgh -j REJECT
  REJECT  all opt -- in lo out !lo  0.0.0.0/0  -> 0.0.0.0/0   reject-with icmp-port-unreachable

Remove the mask parameters from `is_same_interfaces`.  Add a test-case.

Fixes: 9ccae6397475 ("nft: Leave interface masks alone when parsing from kernel")
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Phil Sutter <phil@nwl.cc>

iptables/nft-arp.c		diff \| blob \| blame \| history
iptables/nft-ipv4.c		diff \| blob \| blame \| history
iptables/nft-ipv6.c		diff \| blob \| blame \| history
iptables/nft-shared.c		diff \| blob \| blame \| history
iptables/nft-shared.h		diff \| blob \| blame \| history
iptables/tests/shell/testcases/nft-only/0020-compare-interfaces_0	[new file with mode: 0755]	blob