The prefix building algorithm in netlink phase was incorrect in
IPv6.
For example, when adding the following rule
nft add rule ip6 nat postrouting ip6 saddr 2::/64 --debug=all
we had:
ip6 nat postrouting 0 0
[ payload load 16b @ network header + 8 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x00000000 0x99361540 0x00007f8d 0x2e33a1eb ) ^ 0x00000000 0x00000000 0x00000000 0x00000000 ]
[ cmp eq reg 1 0x00000200 0x00000000 0x00000000 0x00000000 ]
With the patch the result is as expected:
ip6 nat postrouting 0 0
[ payload load 16b @ network header + 8 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0xffffffff 0xffffffff 0x00000000 0x00000000 ) ^ 0x00000000 0x00000000 0x00000000 0x00000000 ]
[ cmp eq reg 1 0x00000200 0x00000000 0x00000000 0x00000000 ]
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
static void netlink_gen_prefix(const struct expr *expr,
struct nft_data_linearize *data)
{
- uint32_t i, cidr, idx;
+ uint32_t idx;
+ int32_t i, cidr;
uint32_t mask;
assert(expr->ops->type == EXPR_PREFIX);
data->len = div_round_up(expr->prefix->len, BITS_PER_BYTE);
cidr = expr->prefix_len;
- for (i = 0; i < data->len; i+= 32) {
+ for (i = 0; (uint32_t)i / BITS_PER_BYTE < data->len; i += 32) {
if (cidr - i >= 32)
- mask = 0;
+ mask = 0xffffffff;
+ else if (cidr - i > 0)
+ mask = (1 << (cidr - i)) - 1;
else
- mask = (1 << cidr) - 1;
+ mask = 0;
idx = i / 32;
data->value[idx] = mask;
projects / thirdparty / nftables.git / commitdiff
