OSDN > 브라 우즈 소프트웨어 > Linux Kernel Documents > SCM > git > linux-2.4.36 > Commit

Linux Kernel Documents
Fork
linux-2.6
linux-2.4.36

R/O
HTTP
SSH
HTTPS

linux-2.4.36: Commit

2.4.36-stable kernel tree

Commit MetaInfo

Revision	59a1f6d68cdd824f303554922a77ddaf0a2a887e (tree)
Time	2008-10-20 04:22:20
Author	Yasuyuki KOZAKAI <yasuyuki.kozakai@tosh...>
Commiter	Willy Tarreau

Log Message

netfilter: ip6t_{hbh,dst}: Rejects not-strict mode on rule insertion

[2.6 commit: 8ca31ce52a5cfd03b960fd81a49197ae85d25347]

The current code ignores rules for internal options in HBH/DST options
header in packet processing if 'Not strict' mode is specified (which is not
implemented). Clearly it is not expected by user.

Kernel should reject HBH/DST rule insertion with 'Not strict' mode
in the first place.

Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Willy Tarreau <w@1wt.eu>

Change Summary

modified: net/ipv6/netfilter/ip6t_dst.c (diff)
modified: net/ipv6/netfilter/ip6t_hbh.c (diff)

Incremental Difference

--- a/net/ipv6/netfilter/ip6t_dst.c

+++ b/net/ipv6/netfilter/ip6t_dst.c

		@@ -172,8 +172,6 @@ match(const struct sk_buff *skb,
172	172	hdrlen -= 2;
173	173	if ( !(optinfo->flags & IP6T_OPTS_OPTS) ){
174	174	return ret;
175		- } else if (optinfo->flags & IP6T_OPTS_NSTRICT) {
176		- DEBUGP("Not strict - not implemented");
177	175	} else {
178	176	DEBUGP("Strict ");
179	177	DEBUGP("#%d ",optinfo->optsnr);

		@@ -253,6 +251,10 @@ checkentry(const char *tablename,
253	251	optsinfo->invflags);
254	252	return 0;
255	253	}
	254	+ if (optsinfo->flags & IP6T_OPTS_NSTRICT) {
	255	+ DEBUGP("ip6t_opts: Not strict - not implemented");
	256	+ return 0;
	257	+ }
256	258
257	259	return 1;
258	260	}

--- a/net/ipv6/netfilter/ip6t_hbh.c

+++ b/net/ipv6/netfilter/ip6t_hbh.c

		@@ -172,8 +172,6 @@ match(const struct sk_buff *skb,
172	172	hdrlen -= 2;
173	173	if ( !(optinfo->flags & IP6T_OPTS_OPTS) ){
174	174	return ret;
175		- } else if (optinfo->flags & IP6T_OPTS_NSTRICT) {
176		- DEBUGP("Not strict - not implemented");
177	175	} else {
178	176	DEBUGP("Strict ");
179	177	DEBUGP("#%d ",optinfo->optsnr);

		@@ -253,6 +251,10 @@ checkentry(const char *tablename,
253	251	optsinfo->invflags);
254	252	return 0;
255	253	}
	254	+ if (optsinfo->flags & IP6T_OPTS_NSTRICT) {
	255	+ DEBUGP("ip6t_opts: Not strict - not implemented");
	256	+ return 0;
	257	+ }
256	258
257	259	return 1;
258	260	}

Show on old repository browser