[netfilter-cvslog] r6872 - trunk/iptables
yasuyuki at netfilter.org
yasuyuki at netfilter.org
Mon Jun 11 22:17:35 CEST 2007
Author: yasuyuki at netfilter.org
Date: 2007-06-11 22:17:34 +0200 (Mon, 11 Jun 2007)
New Revision: 6872
Modified:
trunk/iptables/ip6tables.c
Log:
'-p all' and '-p 0' should be allowed. And actually ip6tables in kernel
allows '! -p xxx' where xxx is extension header. It matches all valid IPv6
packets.
Modified: trunk/iptables/ip6tables.c
===================================================================
--- trunk/iptables/ip6tables.c 2007-06-09 20:19:12 UTC (rev 6871)
+++ trunk/iptables/ip6tables.c 2007-06-11 20:17:34 UTC (rev 6872)
@@ -883,13 +883,11 @@
return (u_int16_t)proto;
}
-/* proto means IPv6 extension header ? */
+/* These are invalid numbers as upper layer protocol */
static int is_exthdr(u_int16_t proto)
{
- return (proto == IPPROTO_HOPOPTS ||
- proto == IPPROTO_ROUTING ||
+ return (proto == IPPROTO_ROUTING ||
proto == IPPROTO_FRAGMENT ||
- proto == IPPROTO_ESP ||
proto == IPPROTO_AH ||
proto == IPPROTO_DSTOPTS);
}
@@ -2062,10 +2060,11 @@
exit_error(PARAMETER_PROBLEM,
"rule would never match protocol");
- if (fw.ipv6.proto != IPPROTO_ESP &&
- is_exthdr(fw.ipv6.proto))
+ if (is_exthdr(fw.ipv6.proto)
+ && (fw.ipv6.invflags & IP6T_INV_PROTO) == 0)
printf("Warning: never matched protocol: %s. "
- "use exension match instead.", protocol);
+ "use extension match instead.\n",
+ protocol);
break;
case 's':
More information about the netfilter-cvslog
mailing list