[Bug 904] Matching ah without optional argument gives unintuitive result
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Thu Feb 20 08:33:30 CET 2014
https://bugzilla.netfilter.org/show_bug.cgi?id=904
--- Comment #5 from Sebastian <saltyacid at gmail.com> 2014-02-20 08:33:29 CET ---
Thanks for your comment!
I agree that my workaround will work for me, but what I'm afraid of is that
someone else uses "ip6tables -A INPUT -m ah -j DROP".
I also agree that we cannot change the behavior of existing code so that the
argument ahspi is mandatory (which is basically the case since matching spi=0
is never what we want).
So I think there are two reasonable ways of improving this::
1) Change the comment "use extension match instead" to "use extension match
with argument --ahspi instead".
2) While using it without ahspi, give the following output:
"Warning: matching spi 0. To match all AH, use ! --ahspi 0 instead"
--
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the netfilter-buglog
mailing list