git.ipfire.org Git - thirdparty/iptables.git/commit

author	Giuseppe Longo <giuseppelng@gmail.com>
	Fri, 22 Aug 2014 09:16:31 +0000 (11:16 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Sun, 24 Aug 2014 13:29:47 +0000 (15:29 +0200)
commit	d579c3cba69ec958ca93216a77f15acfa1487e09
tree	f78711526ba6e99e9dcd8dd9c792f192cf8240ba	tree
parent	b772c3f24f75e586e406675e4b0b79eabfe3375e	commit \| diff

nft: compare layer 4 protocol in first place

Currently the protocol is tested after the ip address,
this fixes the order testing the protocol before the ip address.

Now the code generated is incorrect:

ip filter INPUT 16
  [ payload load 4b @ network header + 12 => reg 1 ]
  [ cmp eq reg 1 0x0100a8c0 ]
  [ payload load 1b @ network header + 9 => reg 1 ]
  [ cmp eq reg 1 0x00000006 ]
  [ match name tcp rev 0 ]
  [ match name conntrack rev 3 ]
  [ counter pkts 0 bytes 0 ]
  [ immediate reg 0 accept ]

With this patch, the code generated is:
ip filter INPUT 16
  [ payload load 1b @ network header + 9 => reg 1 ]
  [ cmp eq reg 1 0x00000006 ]
  [ payload load 4b @ network header + 12 => reg 1 ]
  [ cmp eq reg 1 0x0100a8c0 ]
  [ bitwise reg 1 = (reg=1 & 0xffffffff ) ^ 0x00000000 ]
  [ match name tcp rev 0 ]
  [ match name conntrack rev 3 ]
  [ counter pkts 0 bytes 0 ]
  [ immediate reg 0 accept ]

Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

iptables/nft-ipv4.c		diff \| blob \| blame \| history
iptables/nft-ipv6.c		diff \| blob \| blame \| history