diff options
author | Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp> | 2006-03-29 09:24:43 +0000 |
---|---|---|
committer | Patrick McHardy <kaber@trash.net> | 2006-03-29 09:24:43 +0000 |
commit | 78716a9a8c039b18e2f8e476b2a4c76ec17437b2 (patch) | |
tree | f87f98043460eb27f317796da9fa7c6c4065d167 /ip6tables.c | |
parent | a258ad7002ae4b4f366800f512db938fb78d0661 (diff) |
don't allow to specify protocol of IPv6 extension header (Yasuyuki Kozakai)
Sometimes I hear that people do 'ip6tables -p ah ...' which never matches
any packet. IPv6 extension headers except of ESP are skipped and invalid
as argument of '-p'. Then I propose that ip6tables exits with error in such
case.
Diffstat (limited to 'ip6tables.c')
-rw-r--r-- | ip6tables.c | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/ip6tables.c b/ip6tables.c index dcf7d367..00c4f6db 100644 --- a/ip6tables.c +++ b/ip6tables.c @@ -849,6 +849,17 @@ parse_protocol(const char *s) return (u_int16_t)proto; } +/* proto means IPv6 extension header ? */ +static int is_exthdr(u_int16_t proto) +{ + return (proto == IPPROTO_HOPOPTS || + proto == IPPROTO_ROUTING || + proto == IPPROTO_FRAGMENT || + proto == IPPROTO_ESP || + proto == IPPROTO_AH || + proto == IPPROTO_DSTOPTS); +} + void parse_interface(const char *arg, char *vianame, unsigned char *mask) { int vialen = strlen(arg); @@ -1926,6 +1937,11 @@ int do_command6(int argc, char *argv[], char **table, ip6tc_handle_t *handle) && (fw.ipv6.invflags & IP6T_INV_PROTO)) exit_error(PARAMETER_PROBLEM, "rule would never match protocol"); + + if (fw.ipv6.proto != IPPROTO_ESP && + is_exthdr(fw.ipv6.proto)) + printf("Warning: never matched protocol: %s. " + "use exension match instead.", protocol); break; case 's': |