commit 96120d86fe302c006259baee9061eea9e1b9e486 · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

netfilter: xt_conntrack: fix inverted conntrack direction test

--ctdir ORIGINAL matches REPLY packets, and vv:

userspace sets "invert_flags &= ~XT_CONNTRACK_DIRECTION" in ORIGINAL
case.

Thus: (CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL) ^
!!(info->invert_flags & XT_CONNTRACK_DIRECTION))

yields "1 ^ 0", which is true -> returns false.

Reproducer:
iptables -I OUTPUT 1 -p tcp --syn -m conntrack --ctdir ORIGINAL

Signed-off-by: Florian Westphal <fwestphal@astaro.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

authored by Florian Westphal and committed by Patrick McHardy 15 years ago 96120d86 b7225041

+1 -1

1 changed file

expand all

unified split

net

netfilter

xt_conntrack.c

+1 -1

net/netfilter/xt_conntrack.c

··· 195 195 return info->match_flags & XT_CONNTRACK_STATE; 196 196 if ((info->match_flags & XT_CONNTRACK_DIRECTION) && 197 197 (CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL) ^ 198 - !!(info->invert_flags & XT_CONNTRACK_DIRECTION)) 198 + !(info->invert_flags & XT_CONNTRACK_DIRECTION)) 199 199 return false; 200 200 201 201 if (info->match_flags & XT_CONNTRACK_ORIGSRC)