[netfilter-cvslog] r6573 - trunk/iptables
kaber at netfilter.org
kaber at netfilter.org
Wed Mar 29 11:24:46 CEST 2006
Author: kaber at netfilter.org
Date: 2006-03-29 11:24:43 +0200 (Wed, 29 Mar 2006)
New Revision: 6573
Modified:
trunk/iptables/ip6tables.c
Log:
[PATCH] don't allow to specify protocol of IPv6 extension header (Yasuyuki Kozakai)
Sometimes I hear that people do 'ip6tables -p ah ...' which never matches
any packet. IPv6 extension headers except of ESP are skipped and invalid
as argument of '-p'. Then I propose that ip6tables exits with error in such
case.
Modified: trunk/iptables/ip6tables.c
===================================================================
--- trunk/iptables/ip6tables.c 2006-03-29 09:07:36 UTC (rev 6572)
+++ trunk/iptables/ip6tables.c 2006-03-29 09:24:43 UTC (rev 6573)
@@ -849,6 +849,17 @@
return (u_int16_t)proto;
}
+/* proto means IPv6 extension header ? */
+static int is_exthdr(u_int16_t proto)
+{
+ return (proto == IPPROTO_HOPOPTS ||
+ proto == IPPROTO_ROUTING ||
+ proto == IPPROTO_FRAGMENT ||
+ proto == IPPROTO_ESP ||
+ proto == IPPROTO_AH ||
+ proto == IPPROTO_DSTOPTS);
+}
+
void parse_interface(const char *arg, char *vianame, unsigned char *mask)
{
int vialen = strlen(arg);
@@ -1926,6 +1937,11 @@
&& (fw.ipv6.invflags & IP6T_INV_PROTO))
exit_error(PARAMETER_PROBLEM,
"rule would never match protocol");
+
+ if (fw.ipv6.proto != IPPROTO_ESP &&
+ is_exthdr(fw.ipv6.proto))
+ printf("Warning: never matched protocol: %s. "
+ "use exension match instead.", protocol);
break;
case 's':
More information about the netfilter-cvslog
mailing list