[Bug 904] Matching ah without optional argument gives unintuitive result

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Thu Feb 20 08:33:30 CET 2014


https://bugzilla.netfilter.org/show_bug.cgi?id=904

--- Comment #5 from Sebastian <saltyacid at gmail.com> 2014-02-20 08:33:29 CET ---
Thanks for your comment!

I agree that my workaround will work for me, but what I'm afraid of is that
someone else uses "ip6tables -A INPUT -m ah -j DROP".

I also agree that we cannot change the behavior of existing code so that the
argument ahspi is mandatory (which is basically the case since matching spi=0
is never what we want).

So I think there are two reasonable ways of improving this::

1) Change the comment "use extension match instead" to "use extension match
with argument --ahspi instead".

2) While using it without ahspi, give the following output:
"Warning: matching spi 0. To match all AH, use ! --ahspi 0 instead"

-- 
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.



More information about the netfilter-buglog mailing list