[xtables,07/13] arptables: fix target ip offset

Message ID	20181112141900.7366-8-fw@strlen.de
State	Accepted
Delegated to:	Pablo Neira
Headers	show Return-Path: <netfilter-devel-owner@vger.kernel.org> From: Florian Westphal <fw@strlen.de> To: <netfilter-devel@vger.kernel.org> Cc: Florian Westphal <fw@strlen.de> Subject: [PATCH xtables 07/13] arptables: fix target ip offset Date: Mon, 12 Nov 2018 15:18:54 +0100 Message-Id: <20181112141900.7366-8-fw@strlen.de> In-Reply-To: <20181112141900.7366-1-fw@strlen.de> References: <20181112141900.7366-1-fw@strlen.de> Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk
Series	arptables: make it work \| expand [xtables,00/13] arptables: make it work [xtables,01/13] arptables: use ->save for arptables-save, like xtables [xtables,02/13] arptables-save: add -c option, like xtables-save [xtables,03/13] arptables: remove code that is also commented-out in original arptables [xtables,04/13] arptables: fix rule deletion/compare [xtables,05/13] arptables: add basic test infra for arptables-nft [xtables,06/13] arptables: fix -s/-d handling for negation and mask [xtables,07/13] arptables: fix target ip offset [xtables,08/13] arptables: fix src/dst mac handling [xtables,09/13] arptables: pre-init hlen and ethertype [xtables,10/13] arptables: add test cases [xtables,11/13] arptables: make uni/multicast mac masks static [xtables,12/13] arptables: ignore --table argument. [xtables,13/13] arptables: fix --version info

Message ID

20181112141900.7366-8-fw@strlen.de

State

Accepted

Delegated to:

Pablo Neira

Headers

From: Florian Westphal <fw@strlen.de>
To: <netfilter-devel@vger.kernel.org>
Cc: Florian Westphal <fw@strlen.de>
Subject: [PATCH xtables 07/13] arptables: fix target ip offset
Date: Mon, 12 Nov 2018 15:18:54 +0100
Message-Id: <20181112141900.7366-8-fw@strlen.de>
In-Reply-To: <20181112141900.7366-1-fw@strlen.de>
References: <20181112141900.7366-1-fw@strlen.de>
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk

Series

arptables: make it work | expand

Commit Message

Florian Westphal Nov. 12, 2018, 2:18 p.m. UTC

--dst-ip checks the first four octets of the target mac.

Format of ipv4 arp is:
arphdr (htype, ptype...)
src mac
src ip
target mac
target ip

So we need to add hlen (6 bytes) a second time
(arphdr + 6 + 4 + 6) to get correct offset.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 iptables/nft-arp.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
index 21adc5dbb1fe..c8b52ae051f3 100644
--- a/iptables/nft-arp.c
+++ b/iptables/nft-arp.c
@@ -214,7 +214,7 @@  static int nft_arp_add(struct nftnl_rule *r, void *data)
 	    fw->arp.tmsk.s_addr != 0 ||
 	    fw->arp.invflags & ARPT_INV_TGTIP) {
 		op = nft_invflags2cmp(fw->arp.invflags, ARPT_INV_TGTIP);
-		add_addr(r, sizeof(struct arphdr) + fw->arp.arhln + sizeof(struct in_addr),
+		add_addr(r, sizeof(struct arphdr) + fw->arp.arhln + sizeof(struct in_addr) + fw->arp.arhln,
 			 &fw->arp.tgt.s_addr, &fw->arp.tmsk.s_addr,
 			 sizeof(struct in_addr), op);
 	}
@@ -346,7 +346,8 @@  static void nft_arp_parse_payload(struct nft_xt_ctx *ctx,
 				fw->arp.invflags |= ARPT_INV_SRCIP;
 		} else if (ctx->payload.offset == sizeof(struct arphdr) +
 						  fw->arp.arhln +
-						  sizeof(struct in_addr)) {
+						  sizeof(struct in_addr) +
+						  fw->arp.arhln) {
 			get_cmp_data(e, &addr, sizeof(addr), &inv);
 			fw->arp.tgt.s_addr = addr.s_addr;
 			if (ctx->flags & NFT_XT_CTX_BITWISE) {

[xtables,07/13] arptables: fix target ip offset

Commit Message

Patch