summaryrefslogtreecommitdiffstats
path: root/ip6tables.c
diff options
context:
space:
mode:
Diffstat (limited to 'ip6tables.c')
-rw-r--r--ip6tables.c16
1 files changed, 16 insertions, 0 deletions
diff --git a/ip6tables.c b/ip6tables.c
index dcf7d367..00c4f6db 100644
--- a/ip6tables.c
+++ b/ip6tables.c
@@ -849,6 +849,17 @@ parse_protocol(const char *s)
return (u_int16_t)proto;
}
+/* proto means IPv6 extension header ? */
+static int is_exthdr(u_int16_t proto)
+{
+ return (proto == IPPROTO_HOPOPTS ||
+ proto == IPPROTO_ROUTING ||
+ proto == IPPROTO_FRAGMENT ||
+ proto == IPPROTO_ESP ||
+ proto == IPPROTO_AH ||
+ proto == IPPROTO_DSTOPTS);
+}
+
void parse_interface(const char *arg, char *vianame, unsigned char *mask)
{
int vialen = strlen(arg);
@@ -1926,6 +1937,11 @@ int do_command6(int argc, char *argv[], char **table, ip6tc_handle_t *handle)
&& (fw.ipv6.invflags & IP6T_INV_PROTO))
exit_error(PARAMETER_PROBLEM,
"rule would never match protocol");
+
+ if (fw.ipv6.proto != IPPROTO_ESP &&
+ is_exthdr(fw.ipv6.proto))
+ printf("Warning: never matched protocol: %s. "
+ "use exension match instead.", protocol);
break;
case 's':