LinuxLists.cc - [PATCH] Iptables multiport match fix

2002-07-09 20:19:10

Subject: [PATCH] Iptables multiport match fix

Hi,

The multiport match checks for the IPT_INV_PROTO flag in the 'flags'
member of struct ipt_ip instead of in the 'invflags' member.

diff -ur linux.current/net/ipv4/netfilter/ipt_multiport.c linux-mine/net/ipv4/netfilter/ipt_multiport.c
--- linux-2.4.19-rc1/net/ipv4/netfilter/ipt_multiport.c Tue Jun 20 23:32:27 2000
+++ linux/net/ipv4/netfilter/ipt_multiport.c Tue Jul 9 10:43:23 2002
@@ -78,7 +78,7 @@

/* Must specify proto == TCP/UDP, no unknown flags or bad count */
return (ip->proto == IPPROTO_TCP || ip->proto == IPPROTO_UDP)
- && !(ip->flags & IPT_INV_PROTO)
+ && !(ip->invflags & IPT_INV_PROTO)
&& matchsize == IPT_ALIGN(sizeof(struct ipt_multiport))
&& (multiinfo->flags == IPT_MULTIPORT_SOURCE
|| multiinfo->flags == IPT_MULTIPORT_DESTINATION

(Where should I send this btw? The kernel part of iptables doesn't
seem to be in the netfilter CVS. Was I supposed to create a p-o-m
patch? Or send it directly to Marcelo?)

//Marcus
--
---------------------------------------+--------------------------
Marcus Sundberg <[email protected]> | Firewalls with SIP & NAT
Firewall Developer, Ingate Systems AB | http://www.ingate.com/

2002-07-10 09:41:41

by Harald Welte

[permalink] [raw]

Subject: Re: [PATCH] Iptables multiport match fix

On Tue, Jul 09, 2002 at 10:21:36PM +0200, Marcus Sundberg wrote:
> Hi,
>
> The multiport match checks for the IPT_INV_PROTO flag in the 'flags'
> member of struct ipt_ip instead of in the 'invflags' member.

thanks for this fix.
>
> diff -ur linux.current/net/ipv4/netfilter/ipt_multiport.c linux-mine/net/ipv4/netfilter/ipt_multiport.c
> --- linux-2.4.19-rc1/net/ipv4/netfilter/ipt_multiport.c Tue Jun 20 23:32:27 2000
> +++ linux/net/ipv4/netfilter/ipt_multiport.c Tue Jul 9 10:43:23 2002
> @@ -78,7 +78,7 @@
>
> /* Must specify proto == TCP/UDP, no unknown flags or bad count */
> return (ip->proto == IPPROTO_TCP || ip->proto == IPPROTO_UDP)
> - && !(ip->flags & IPT_INV_PROTO)
> + && !(ip->invflags & IPT_INV_PROTO)
> && matchsize == IPT_ALIGN(sizeof(struct ipt_multiport))
> && (multiinfo->flags == IPT_MULTIPORT_SOURCE
> || multiinfo->flags == IPT_MULTIPORT_DESTINATION
>
> (Where should I send this btw? The kernel part of iptables doesn't
> seem to be in the netfilter CVS. Was I supposed to create a p-o-m
> patch? Or send it directly to Marcelo?)

send it to the netfilter development list
([email protected]). The netfilter developers will then
check/test and submit to DaveM for kernel inclusion.

> //Marcus

--
Live long and prosper
- Harald Welte / [email protected] http://www.gnumonks.org/
============================================================================
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M-
V-- PS+ PE-- Y+ PGP++ t++ 5-- !X !R tv-- b+++ DI? !D G+ e* h+ r% y+(*)