netfilter: xt_connbytes: handle negation correctly
"! --connbytes 23:42" should match if the packet/byte count is not in range. As there is no explict "invert match" toggle in the match structure, userspace swaps the from and to arguments (i.e., as if "--connbytes 42:23" were given). However, "what <= 23 && what >= 42" will always be false. Change things so we use "||" in case "from" is larger than "to". This change may look like it breaks backwards compatibility when "to" is 0. However, older iptables binaries will refuse "connbytes 42:0", and current releases treat it to mean "! --connbytes 0:42", so we should be fine. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
parent
3f1e6d3fd3
commit
0354b48f63
@ -87,10 +87,10 @@ connbytes_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||
break;
|
||||
}
|
||||
|
||||
if (sinfo->count.to)
|
||||
if (sinfo->count.to >= sinfo->count.from)
|
||||
return what <= sinfo->count.to && what >= sinfo->count.from;
|
||||
else
|
||||
return what >= sinfo->count.from;
|
||||
else /* inverted */
|
||||
return what < sinfo->count.to || what > sinfo->count.from;
|
||||
}
|
||||
|
||||
static int connbytes_mt_check(const struct xt_mtchk_param *par)
|
||||
|
Loading…
Reference in New Issue
Block a user