evaluate: enforce ip6 proto with exthdr expression

Don't allow use of exthdr with e.g. ip family.
Move frag.t to ip6 directory and don't use it with ipv4 anymore.

This change causes major test failures for all exthdr users
since they now fail with inet/bridge/netdev families.

Will be resolved in a later patch -- we need to add
an ipv6 dependency for them.

Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 17 insertions, 1 deletions

diff --git a/src/evaluate.c b/src/evaluate.c
index a49cdd93..47a1f8ca 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -343,6 +343,21 @@ conflict_resolution_gen_dependency(struct eval_ctx *ctx, int protocol,
 	return 0;
 }
 
+/*
+ * Exthdr expression: check whether dependencies are fulfilled.
+ */
+static int expr_evaluate_exthdr(struct eval_ctx *ctx, struct expr **expr)
+{
+	const struct proto_desc *base;
+
+	base = ctx->pctx.protocol[PROTO_BASE_NETWORK_HDR].desc;
+	if (base == &proto_ip6)
+		return expr_evaluate_primary(ctx, expr);
+
+	return expr_error(ctx->msgs, *expr,
+			  "exthdr can only be used with ipv6");
+}
+
 /* dependency supersede.
  *
  * 'inet' is a 'phony' l2 dependeny used by NFPROTO_INET to fulfill network
@@ -1320,8 +1335,9 @@ static int expr_evaluate(struct eval_ctx *ctx, struct expr **expr)
 		return 0;
 	case EXPR_VALUE:
 		return expr_evaluate_value(ctx, expr);
-	case EXPR_VERDICT:
 	case EXPR_EXTHDR:
+		return expr_evaluate_exthdr(ctx, expr);
+	case EXPR_VERDICT:
 	case EXPR_META:
 		return expr_evaluate_primary(ctx, expr);
 	case EXPR_PAYLOAD: