• R/O
  • HTTP
  • SSH
  • HTTPS

linux-2.4.36: Commit

2.4.36-stable kernel tree


Commit MetaInfo

Revision59a1f6d68cdd824f303554922a77ddaf0a2a887e (tree)
Zeit2008-10-20 04:22:20
AutorYasuyuki KOZAKAI <yasuyuki.kozakai@tosh...>
CommiterWilly Tarreau

Log Message

netfilter: ip6t_{hbh,dst}: Rejects not-strict mode on rule insertion

[2.6 commit: 8ca31ce52a5cfd03b960fd81a49197ae85d25347]

The current code ignores rules for internal options in HBH/DST options
header in packet processing if 'Not strict' mode is specified (which is not
implemented). Clearly it is not expected by user.

Kernel should reject HBH/DST rule insertion with 'Not strict' mode
in the first place.

Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Willy Tarreau <w@1wt.eu>

Ändern Zusammenfassung

Diff

--- a/net/ipv6/netfilter/ip6t_dst.c
+++ b/net/ipv6/netfilter/ip6t_dst.c
@@ -172,8 +172,6 @@ match(const struct sk_buff *skb,
172172 hdrlen -= 2;
173173 if ( !(optinfo->flags & IP6T_OPTS_OPTS) ){
174174 return ret;
175- } else if (optinfo->flags & IP6T_OPTS_NSTRICT) {
176- DEBUGP("Not strict - not implemented");
177175 } else {
178176 DEBUGP("Strict ");
179177 DEBUGP("#%d ",optinfo->optsnr);
@@ -253,6 +251,10 @@ checkentry(const char *tablename,
253251 optsinfo->invflags);
254252 return 0;
255253 }
254+ if (optsinfo->flags & IP6T_OPTS_NSTRICT) {
255+ DEBUGP("ip6t_opts: Not strict - not implemented");
256+ return 0;
257+ }
256258
257259 return 1;
258260 }
--- a/net/ipv6/netfilter/ip6t_hbh.c
+++ b/net/ipv6/netfilter/ip6t_hbh.c
@@ -172,8 +172,6 @@ match(const struct sk_buff *skb,
172172 hdrlen -= 2;
173173 if ( !(optinfo->flags & IP6T_OPTS_OPTS) ){
174174 return ret;
175- } else if (optinfo->flags & IP6T_OPTS_NSTRICT) {
176- DEBUGP("Not strict - not implemented");
177175 } else {
178176 DEBUGP("Strict ");
179177 DEBUGP("#%d ",optinfo->optsnr);
@@ -253,6 +251,10 @@ checkentry(const char *tablename,
253251 optsinfo->invflags);
254252 return 0;
255253 }
254+ if (optsinfo->flags & IP6T_OPTS_NSTRICT) {
255+ DEBUGP("ip6t_opts: Not strict - not implemented");
256+ return 0;
257+ }
256258
257259 return 1;
258260 }
Show on old repository browser