diff options
author | /C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=kaber/emailAddress=kaber@netfilter.org </C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=kaber/emailAddress=kaber@netfilter.org> | 2006-03-29 09:24:43 +0000 |
---|---|---|
committer | /C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=kaber/emailAddress=kaber@netfilter.org </C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=kaber/emailAddress=kaber@netfilter.org> | 2006-03-29 09:24:43 +0000 |
commit | 10209f5f63ed684fc700d3dcc07a207951d08cd8 (patch) | |
tree | f87f98043460eb27f317796da9fa7c6c4065d167 /ip6tables.c | |
parent | 74c14ed8f0fe59a355fd678be9dacaaadf19adf5 (diff) |
[PATCH] don't allow to specify protocol of IPv6 extension header (Yasuyuki Kozakai)
Sometimes I hear that people do 'ip6tables -p ah ...' which never matches
any packet. IPv6 extension headers except of ESP are skipped and invalid
as argument of '-p'. Then I propose that ip6tables exits with error in such
case.
Diffstat (limited to 'ip6tables.c')
-rw-r--r-- | ip6tables.c | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/ip6tables.c b/ip6tables.c index dcf7d36..00c4f6d 100644 --- a/ip6tables.c +++ b/ip6tables.c @@ -849,6 +849,17 @@ parse_protocol(const char *s) return (u_int16_t)proto; } +/* proto means IPv6 extension header ? */ +static int is_exthdr(u_int16_t proto) +{ + return (proto == IPPROTO_HOPOPTS || + proto == IPPROTO_ROUTING || + proto == IPPROTO_FRAGMENT || + proto == IPPROTO_ESP || + proto == IPPROTO_AH || + proto == IPPROTO_DSTOPTS); +} + void parse_interface(const char *arg, char *vianame, unsigned char *mask) { int vialen = strlen(arg); @@ -1926,6 +1937,11 @@ int do_command6(int argc, char *argv[], char **table, ip6tc_handle_t *handle) && (fw.ipv6.invflags & IP6T_INV_PROTO)) exit_error(PARAMETER_PROBLEM, "rule would never match protocol"); + + if (fw.ipv6.proto != IPPROTO_ESP && + is_exthdr(fw.ipv6.proto)) + printf("Warning: never matched protocol: %s. " + "use exension match instead.", protocol); break; case 's': |