[PATCH] proto_to_name duplication
Yasuyuki KOZAKAI
yasuyuki.kozakai at toshiba.co.jp
Mon Jul 24 07:38:32 CEST 2006
Hi,
From: Patrick McHardy <kaber at trash.net>
Date: Sat, 22 Jul 2006 15:47:40 +0200
> Phil Oester wrote:
> > Update multiport match to use the iptables version of proto_to_name
> > instead of reinventing the wheel.
>
> Also applied, thanks Phil.
This allows iptables to send the invalid entry to kernel when
people do 'iptables -p icmp -m multiport --sports 10000 ...',
for example. Of cause kernel can reject this, but iptables cannot
output useful error message after that.
check_proto() should not allow protocols other than tcp, udp, sctp and
dccp. That's why libip{,6}t_multiport have the other version of
proto_to_name().
Please revert this or add check for protocol number.
Regards,
-- Yasuyuki Kozakai
More information about the netfilter-devel
mailing list