Commit 6c0d95d1 authored by Martin Willi's avatar Martin Willi Committed by Pablo Neira Ayuso

netfilter: ctnetlink: fix mark based dump filtering regression

conntrack mark based dump filtering may falsely skip entries if a mask
is given: If the mask-based check does not filter out the entry, the
else-if check is always true and compares the mark without considering
the mask. The if/else-if logic seems wrong.

Given that the mask during filter setup is implicitly set to 0xffffffff
if not specified explicitly, the mark filtering flags seem to just
complicate things. Restore the previously used approach by always
matching against a zero mask is no filter mark is given.

Fixes: cb8aa9a3 ("netfilter: ctnetlink: add kernel side filtering for dump")
Signed-off-by: default avatarMartin Willi <martin@strongswan.org>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 67cc570e
...@@ -851,7 +851,6 @@ static int ctnetlink_done(struct netlink_callback *cb) ...@@ -851,7 +851,6 @@ static int ctnetlink_done(struct netlink_callback *cb)
} }
struct ctnetlink_filter { struct ctnetlink_filter {
u_int32_t cta_flags;
u8 family; u8 family;
u_int32_t orig_flags; u_int32_t orig_flags;
...@@ -906,10 +905,6 @@ static int ctnetlink_parse_tuple_filter(const struct nlattr * const cda[], ...@@ -906,10 +905,6 @@ static int ctnetlink_parse_tuple_filter(const struct nlattr * const cda[],
struct nf_conntrack_zone *zone, struct nf_conntrack_zone *zone,
u_int32_t flags); u_int32_t flags);
/* applied on filters */
#define CTA_FILTER_F_CTA_MARK (1 << 0)
#define CTA_FILTER_F_CTA_MARK_MASK (1 << 1)
static struct ctnetlink_filter * static struct ctnetlink_filter *
ctnetlink_alloc_filter(const struct nlattr * const cda[], u8 family) ctnetlink_alloc_filter(const struct nlattr * const cda[], u8 family)
{ {
...@@ -930,14 +925,10 @@ ctnetlink_alloc_filter(const struct nlattr * const cda[], u8 family) ...@@ -930,14 +925,10 @@ ctnetlink_alloc_filter(const struct nlattr * const cda[], u8 family)
#ifdef CONFIG_NF_CONNTRACK_MARK #ifdef CONFIG_NF_CONNTRACK_MARK
if (cda[CTA_MARK]) { if (cda[CTA_MARK]) {
filter->mark.val = ntohl(nla_get_be32(cda[CTA_MARK])); filter->mark.val = ntohl(nla_get_be32(cda[CTA_MARK]));
filter->cta_flags |= CTA_FILTER_FLAG(CTA_MARK); if (cda[CTA_MARK_MASK])
if (cda[CTA_MARK_MASK]) {
filter->mark.mask = ntohl(nla_get_be32(cda[CTA_MARK_MASK])); filter->mark.mask = ntohl(nla_get_be32(cda[CTA_MARK_MASK]));
filter->cta_flags |= CTA_FILTER_FLAG(CTA_MARK_MASK); else
} else {
filter->mark.mask = 0xffffffff; filter->mark.mask = 0xffffffff;
}
} else if (cda[CTA_MARK_MASK]) { } else if (cda[CTA_MARK_MASK]) {
err = -EINVAL; err = -EINVAL;
goto err_filter; goto err_filter;
...@@ -1117,11 +1108,7 @@ static int ctnetlink_filter_match(struct nf_conn *ct, void *data) ...@@ -1117,11 +1108,7 @@ static int ctnetlink_filter_match(struct nf_conn *ct, void *data)
} }
#ifdef CONFIG_NF_CONNTRACK_MARK #ifdef CONFIG_NF_CONNTRACK_MARK
if ((filter->cta_flags & CTA_FILTER_FLAG(CTA_MARK_MASK)) && if ((ct->mark & filter->mark.mask) != filter->mark.val)
(ct->mark & filter->mark.mask) != filter->mark.val)
goto ignore_entry;
else if ((filter->cta_flags & CTA_FILTER_FLAG(CTA_MARK)) &&
ct->mark != filter->mark.val)
goto ignore_entry; goto ignore_entry;
#endif #endif
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment