| Message ID | 20210906030641.10958-1-shaw.leon@gmail.com |
|---|---|
| State | Accepted |
| Delegated to: | Pablo Neira |
| Headers | show |
| Series | [nft] src: Check range bounds before converting to prefix | expand |
Hi, On Mon, Sep 06, 2021 at 11:06:41AM +0800, Xiao Liang wrote: > The lower bound must be the first value of the prefix to be coverted. > For example, range "10.0.0.15-10.0.0.240" can not be converted to > "10.0.0.15/24". Validate it by checking if the lower bound value has > enough trailing zeros. # nft add rule x y ip saddr 10.0.0.15-10.0.0.240 # nft list ruleset ... ip saddr 10.0.0.15-10.0.0.240 Is a different range that triggers the problem?
On Mon, Sep 6, 2021 at 5:13 PM Pablo Neira Ayuso <pablo@netfilter.org> wrote: > > Hi, > > On Mon, Sep 06, 2021 at 11:06:41AM +0800, Xiao Liang wrote: > > The lower bound must be the first value of the prefix to be coverted. > > For example, range "10.0.0.15-10.0.0.240" can not be converted to > > "10.0.0.15/24". Validate it by checking if the lower bound value has > > enough trailing zeros. > > # nft add rule x y ip saddr 10.0.0.15-10.0.0.240 > # nft list ruleset > ... > ip saddr 10.0.0.15-10.0.0.240 > > Is a different range that triggers the problem? Hi, Please try # nft add rule x y snat to 10.0.0.15-10.0.0.240
On Mon, Sep 06, 2021 at 11:06:41AM +0800, Xiao Liang wrote: > The lower bound must be the first value of the prefix to be coverted. > For example, range "10.0.0.15-10.0.0.240" can not be converted to > "10.0.0.15/24". Validate it by checking if the lower bound value has > enough trailing zeros. Applied, thanks.
diff --git a/src/netlink.c b/src/netlink.c index cbf9d436..0fd0b664 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -1079,12 +1079,15 @@ struct expr *range_expr_to_prefix(struct expr *range) if (mpz_bitmask_is_prefix(bitmask, len)) { prefix_len = mpz_bitmask_to_prefix(bitmask, len); - prefix = prefix_expr_alloc(&range->location, expr_get(left), - prefix_len); - mpz_clear(bitmask); - expr_free(range); - - return prefix; + if (mpz_scan1(left->value, 0) >= len - prefix_len) { + prefix = prefix_expr_alloc(&range->location, + expr_get(left), + prefix_len); + mpz_clear(bitmask); + expr_free(range); + + return prefix; + } } mpz_clear(bitmask);
The lower bound must be the first value of the prefix to be coverted. For example, range "10.0.0.15-10.0.0.240" can not be converted to "10.0.0.15/24". Validate it by checking if the lower bound value has enough trailing zeros. Signed-off-by: Xiao Liang <shaw.leon@gmail.com> --- src/netlink.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-)