On Tue, May 28, 2019 at 07:03:59AM +0000, Robin Geuze wrote:
> This fixes a bug in the Address Accept filter case where if you only
> specify either addresses or masks it would never match.
Thanks Robin.
Would you post an example configuration that is broken? I would like
to place it in the commit message.
> Signed-off-by: Robin Geuze <rob...@transip.nl>
> ---
> src/filter.c | 10 ++++++++--
> 1 file changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/src/filter.c b/src/filter.c
> index 00a5e96..07b2e1d 100644
> --- a/src/filter.c
> +++ b/src/filter.c
> @@ -335,16 +335,22 @@ ct_filter_check(struct ct_filter *f, const struct
> nf_conntrack *ct)
> switch(nfct_get_attr_u8(ct, ATTR_L3PROTO)) {
> case AF_INET:
> ret = vector_iterate(f->v, ct, __ct_filter_test_mask4);
> - if (ret ^ f->logic[CT_FILTER_ADDRESS])
> + if (ret && f->logic[CT_FILTER_ADDRESS]) {
> + break;
> + } else if (ret && !f->logic[CT_FILTER_ADDRESS]) {
> return 0;
> + }
> ret = __ct_filter_test_ipv4(f, ct);
> if (ret ^ f->logic[CT_FILTER_ADDRESS])
> return 0;
> break;
> case AF_INET6:
> ret = vector_iterate(f->v6, ct, __ct_filter_test_mask6);
> - if (ret ^ f->logic[CT_FILTER_ADDRESS])
> + if (ret && f->logic[CT_FILTER_ADDRESS]) {
> + break;
> + } else if (ret && !f->logic[CT_FILTER_ADDRESS]) {
> return 0;
> + }
> ret = __ct_filter_test_ipv6(f, ct);
> if (ret ^ f->logic[CT_FILTER_ADDRESS])
> return 0;
> --
> 2.20.1
