From 10209f5f63ed684fc700d3dcc07a207951d08cd8 Mon Sep 17 00:00:00 2001
From: "/C=DE/ST=Berlin/L=Berlin/O=Netfilter
 Project/OU=Development/CN=kaber/emailAddress=kaber@netfilter.org"
 </C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=kaber/emailAddress=kaber@netfilter.org>
Date: Wed, 29 Mar 2006 09:24:43 +0000
Subject: [PATCH] don't allow to specify protocol of IPv6 extension header
 (Yasuyuki Kozakai)

Sometimes I hear that people do 'ip6tables -p ah ...' which never matches
any packet. IPv6 extension headers except of ESP are skipped and invalid
as argument of '-p'. Then I propose that ip6tables exits with error in such
case.
---
 ip6tables.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/ip6tables.c b/ip6tables.c
index dcf7d36..00c4f6d 100644
--- a/ip6tables.c
+++ b/ip6tables.c
@@ -849,6 +849,17 @@ parse_protocol(const char *s)
 	return (u_int16_t)proto;
 }
 
+/* proto means IPv6 extension header ? */
+static int is_exthdr(u_int16_t proto)
+{
+	return (proto == IPPROTO_HOPOPTS ||
+		proto == IPPROTO_ROUTING ||
+		proto == IPPROTO_FRAGMENT ||
+		proto == IPPROTO_ESP ||
+		proto == IPPROTO_AH ||
+		proto == IPPROTO_DSTOPTS);
+}
+
 void parse_interface(const char *arg, char *vianame, unsigned char *mask)
 {
 	int vialen = strlen(arg);
@@ -1926,6 +1937,11 @@ int do_command6(int argc, char *argv[], char **table, ip6tc_handle_t *handle)
 			    && (fw.ipv6.invflags & IP6T_INV_PROTO))
 				exit_error(PARAMETER_PROBLEM,
 					   "rule would never match protocol");
+			
+			if (fw.ipv6.proto != IPPROTO_ESP &&
+			    is_exthdr(fw.ipv6.proto))
+				printf("Warning: never matched protocol: %s. "
+				       "use exension match instead.", protocol);
 			break;
 
 		case 's':
-- 
cgit v1.2.3