git.ipfire.org Git - thirdparty/iptables.git/commit

author	Phil Sutter <phil@nwl.cc>
	Fri, 20 Sep 2019 09:19:15 +0000 (11:19 +0200)
committer	Phil Sutter <phil@nwl.cc>
	Mon, 23 Sep 2019 20:13:20 +0000 (22:13 +0200)
commit	7c64eaf4b1b97ff69a7d9c5c13d4e9eff97d2cd1
tree	5e2274d40d1ec704fdbddc54fcb7235cf87ae519	tree \| snapshot
parent	5a0294901db1df0d8b1f22c2f64e3b967562ad2e	commit \| diff

nft: Fix add_bitwise_u16() on Big Endian

Type used for 'mask' and 'xor' parameters was wrong, 'int' is four bytes
on 32 or 64 bit architectures. After casting a uint16_t to int, on Big
Endian the first two bytes of data are (the leading) zero which libnftnl
then copies instead of the actual value.

This problem was noticed when using '--fragment' option:

| # iptables-nft -A FORWARD --fragment -j ACCEPT
| # nft list ruleset | grep frag-off
| ip frag-off & 0 != 0 counter packets 0 bytes 0 accept

With this fix in place, the resulting nft rule is correct:

| ip frag-off & 8191 != 0 counter packets 0 bytes 0 accept

Fixes: 2f1fbab671576 ("iptables: nft: add -f support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>

iptables/nft-shared.c		diff \| blob \| blame \| history
iptables/nft-shared.h		diff \| blob \| blame \| history