]>
git.ipfire.org Git - thirdparty/nftables.git/commit
datatype: clamp boolean value to 0 and 1
If user provides a numeric value larger than 0 or 1, match never
happens:
# nft --debug=netlink add rule x y tcp option sack-perm 4
ip x y
[ exthdr load tcpopt 1b @ 4 + 0 present => reg 1 ]
[ cmp eq reg 1 0x00000004 ]
After this update:
# nft --debug=netlink add rule x y tcp option sack-perm 4
ip x y
[ exthdr load tcpopt 1b @ 4 + 0 present => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
This is to address a rare corner case, in case user specifies the
boolean value through the integer base type.
Fixes: 9fd9baba43c8 ("Introduce boolean datatype and boolean expression")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
projects / thirdparty / nftables.git / commit
