On Wed, Jun 20, 2018 at 01:40:45PM +0200, Pablo Neira Ayuso wrote: > On Mon, Jun 18, 2018 at 11:57:10AM +0200, Máté Eckl wrote: > > Signed-off-by: Máté Eckl <[email protected]> > > --- > > src/evaluate.c | 20 ++++++++++++++++++-- > > 1 file changed, 18 insertions(+), 2 deletions(-) > > > > diff --git a/src/evaluate.c b/src/evaluate.c > > index d6aff61..0564b44 100644 > > --- a/src/evaluate.c > > +++ b/src/evaluate.c > > @@ -2431,12 +2431,28 @@ static int evaluate_addr(struct eval_ctx *ctx, > > struct stmt *stmt, > > const struct datatype *dtype; > > unsigned int len; > > > > - if (pctx->family == NFPROTO_IPV4) { > > + switch (pctx->family) { > > + case NFPROTO_IPV4: > > dtype = &ipaddr_type; > > len = 4 * BITS_PER_BYTE; > > - } else { > > + break; > > + case NFPROTO_IPV6: > > dtype = &ip6addr_type; > > len = 16 * BITS_PER_BYTE; > > + break; > > + case NFPROTO_INET: > > + if (strchr((*expr)->identifier, ':')) { > > I'd suggest you specify this in this syntax: > > tproxy ip to 1.1.1.1 > > for the bridge/netdev/inet families. > > From the kernel, this will also skip non-IP packets, so we don't need > to build an IP dependency for this statement.
This patch solves a problem regardless of the tproxy functionality, as it was impossible to specify an address other than ipv6 in non-ip tables. Tproxy was only an example to demonstrate the error. If this patch is applied, there is no need for the 'ip' here (and I'd like to avoid it). Bridge and netdev tables are not supported to use tproxy in. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
