linux/net/netfilter
Florian Westphal 0354b48f63 netfilter: xt_connbytes: handle negation correctly
"! --connbytes 23:42" should match if the packet/byte count is not in range.

As there is no explict "invert match" toggle in the match structure,
userspace swaps the from and to arguments
(i.e., as if "--connbytes 42:23" were given).

However, "what <= 23 && what >= 42" will always be false.

Change things so we use "||" in case "from" is larger than "to".

This change may look like it breaks backwards compatibility when "to" is 0.
However, older iptables binaries will refuse "connbytes 42:0",
and current releases treat it to mean "! --connbytes 0:42",
so we should be fine.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2011-12-23 14:50:19 +01:00
..
ipset netfilter: ipset: suppress compile-time warnings in ip_set_hash_ipport*.c 2011-11-21 18:45:43 +01:00
ipvs ipvs: Remove unused variable "cs" from ip_vs_leave function. 2011-11-01 09:19:57 +01:00
core.c netfilter: do not propagate nf_queue errors in nf_hook_slow 2011-11-01 09:57:21 +01:00
Kconfig netfilter: Remove ADVANCED dependency from NF_CONNTRACK_NETBIOS_NS 2011-12-01 22:19:01 -05:00
Makefile
nf_conntrack_acct.c net: Add export.h for EXPORT_SYMBOL/THIS_MODULE to non-modules 2011-10-31 19:30:30 -04:00
nf_conntrack_amanda.c
nf_conntrack_broadcast.c
nf_conntrack_core.c netfilter: Remove unnecessary OOM logging messages 2011-11-01 09:19:49 +01:00
nf_conntrack_ecache.c netfilter: nf_conntrack: make event callback registration per-netns 2011-11-22 00:34:47 +01:00
nf_conntrack_expect.c net: Add export.h for EXPORT_SYMBOL/THIS_MODULE to non-modules 2011-10-31 19:30:30 -04:00
nf_conntrack_extend.c
nf_conntrack_ftp.c
nf_conntrack_h323_asn1.c
nf_conntrack_h323_main.c
nf_conntrack_h323_types.c
nf_conntrack_helper.c
nf_conntrack_irc.c
nf_conntrack_l3proto_generic.c
nf_conntrack_netbios_ns.c
nf_conntrack_netlink.c netfilter: nf_conntrack: make event callback registration per-netns 2011-11-22 00:34:47 +01:00
nf_conntrack_pptp.c
nf_conntrack_proto.c
nf_conntrack_proto_dccp.c
nf_conntrack_proto_generic.c
nf_conntrack_proto_gre.c netfilter: nf_conntrack: fix event flooding in GRE protocol tracker 2011-10-03 12:43:24 +02:00
nf_conntrack_proto_sctp.c
nf_conntrack_proto_tcp.c
nf_conntrack_proto_udp.c
nf_conntrack_proto_udplite.c
nf_conntrack_sane.c
nf_conntrack_sip.c
nf_conntrack_snmp.c
nf_conntrack_standalone.c
nf_conntrack_tftp.c
nf_conntrack_timestamp.c
nf_internals.h
nf_log.c
nf_queue.c
nf_sockopt.c
nf_tproxy_core.c
nfnetlink.c
nfnetlink_log.c netfilter: Remove unnecessary OOM logging messages 2011-11-01 09:19:49 +01:00
nfnetlink_queue.c
x_tables.c net: Fix files explicitly needing to include module.h 2011-10-31 19:30:28 -04:00
xt_addrtype.c
xt_AUDIT.c
xt_CHECKSUM.c
xt_CLASSIFY.c
xt_cluster.c
xt_comment.c
xt_connbytes.c netfilter: xt_connbytes: handle negation correctly 2011-12-23 14:50:19 +01:00
xt_connlimit.c
xt_connmark.c
xt_CONNSECMARK.c
xt_conntrack.c
xt_cpu.c
xt_CT.c
xt_dccp.c
xt_devgroup.c
xt_dscp.c
xt_DSCP.c
xt_esp.c
xt_hashlimit.c netfilter: Remove unnecessary OOM logging messages 2011-11-01 09:19:49 +01:00
xt_helper.c
xt_hl.c
xt_HL.c
xt_IDLETIMER.c netfilter: Remove unnecessary OOM logging messages 2011-11-01 09:19:49 +01:00
xt_iprange.c
xt_ipvs.c
xt_LED.c
xt_length.c
xt_limit.c
xt_mac.c
xt_mark.c
xt_multiport.c
xt_NFLOG.c
xt_NFQUEUE.c
xt_NOTRACK.c
xt_osf.c
xt_owner.c
xt_physdev.c
xt_pkttype.c
xt_policy.c
xt_quota.c net: Fix files explicitly needing to include module.h 2011-10-31 19:30:28 -04:00
xt_rateest.c
xt_RATEEST.c
xt_realm.c
xt_recent.c
xt_repldata.h
xt_sctp.c
xt_SECMARK.c
xt_set.c
xt_socket.c
xt_state.c
xt_statistic.c net: Fix files explicitly needing to include module.h 2011-10-31 19:30:28 -04:00
xt_string.c
xt_TCPMSS.c
xt_tcpmss.c
xt_TCPOPTSTRIP.c
xt_tcpudp.c
xt_TEE.c
xt_time.c
xt_TPROXY.c
xt_TRACE.c
xt_u32.c