bugzilla-daemon at netfilter.org
2023-Sep-03 16:37 UTC
[Bug 1062] Kernel IPv6 event filtering not working
bugzilla.netfilter.org/show_bug.cgi?id=1062 --- Comment #2 from Jeremy Sowden <jeremy at azazel.net> --- In the ipv4 case: for (i = 0; i < f->l3proto_elems[dir]; i++) { int ip = f->l3proto[dir][i].addr & f->l3proto[dir][i].mask; j += nfct_bsf_load_attr(this, BPF_W, j); j += nfct_bsf_alu_and(this, f->l3proto[dir][i].mask, j); j += nfct_bsf_cmp_k_stack(this, ip, jt - j, j, s); } there is one comparison per address and if it matches we jump to the end of the filter. In the ipv6 case: for (i = 0; i < f->l3proto_elems_ipv6[dir]; i++) { int k, offset; for (k = 0, offset = 0; k < 4; k++, offset += 4) { int ip = f->l3proto_ipv6[dir][i].addr[k] & f->l3proto_ipv6[dir][i].mask[k]; j += nfct_bsf_load_attr_offset(this, BPF_W, offset, j); j += nfct_bsf_alu_and(this, f->l3proto_ipv6[dir][i].mask[k], j); if (k < 3) { j += nfct_bsf_cmp_k_stack_jf(this, ip, jf - j - 1, j, s); } else { /* last word: jump if true */ j += nfct_bsf_cmp_k_stack(this, ip, jf - j, j, s); } } } there are four comparisons per address. The last comparison, as before, jumps to the end of the filter if there is a match. The problem is that the first three comparisons jump to the end of the filter if there _isn't_ a match, when what we should do is jump to the next address in the filter. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230903/0becd6a7/attachment.html>