summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorYasuyuki KOZAKAI <yasuyuki@netfilter.org>2007-06-11 20:17:34 +0000
committerYasuyuki KOZAKAI <yasuyuki@netfilter.org>2007-06-11 20:17:34 +0000
commitf69e30c0107ceff61296045cfd36ea0506d54186 (patch)
tree12c8f5eed0e469d91fdce7932a85caae6faad16c
parent1d9872d7d6f2199130bb67fe8988baade53d25c1 (diff)
'-p all' and '-p 0' should be allowed. And actually ip6tables in kernel
allows '! -p xxx' where xxx is extension header. It matches all valid IPv6 packets.
-rw-r--r--ip6tables.c13
1 files changed, 6 insertions, 7 deletions
diff --git a/ip6tables.c b/ip6tables.c
index 4510ba4a..e742631e 100644
--- a/ip6tables.c
+++ b/ip6tables.c
@@ -883,13 +883,11 @@ parse_protocol(const char *s)
return (u_int16_t)proto;
}
-/* proto means IPv6 extension header ? */
+/* These are invalid numbers as upper layer protocol */
static int is_exthdr(u_int16_t proto)
{
- return (proto == IPPROTO_HOPOPTS ||
- proto == IPPROTO_ROUTING ||
+ return (proto == IPPROTO_ROUTING ||
proto == IPPROTO_FRAGMENT ||
- proto == IPPROTO_ESP ||
proto == IPPROTO_AH ||
proto == IPPROTO_DSTOPTS);
}
@@ -2062,10 +2060,11 @@ int do_command6(int argc, char *argv[], char **table, ip6tc_handle_t *handle)
exit_error(PARAMETER_PROBLEM,
"rule would never match protocol");
- if (fw.ipv6.proto != IPPROTO_ESP &&
- is_exthdr(fw.ipv6.proto))
+ if (is_exthdr(fw.ipv6.proto)
+ && (fw.ipv6.invflags & IP6T_INV_PROTO) == 0)
printf("Warning: never matched protocol: %s. "
- "use exension match instead.", protocol);
+ "use extension match instead.\n",
+ protocol);
break;
case 's':