Re: [iptables PATCH] libip6t_frag: match any frag id by default

Jan Engelhardt <jengelh@xxxxxxx> · Wed, 8 Aug 2012 20:17:12 +0200 (CEST)

On Tuesday 2012-08-07 15:10, Michal Kubecek wrote:

>If no --fragid option is given, frag extension matches only
>fragments with zero Identification field. This is unexpected and
>it breaks ip6tables-save/ip6tables-restore functionality. Match
>any frag id instead.

I've picked this one up, adding documentation about some more pitfalls.
This now reads


parent 8bbad67df4a7fb69ed73d4bf90dcb3cf77fd2a03 (v1.4.15-11-g8bbad67)
commit 3cfec6fcf5da5263ba6df5ceab5e100440907879
Author: Michal Kubeček <mkubecek@xxxxxxx>
Date:   Tue Aug 7 15:10:05 2012 +0200

libip6t_frag: match any frag id by default

If no --fragid option is given, the frag extension only matches
fragments with a zero-valued "Identification" field. This behavior
deviates from what other extensions do (they match all values in this
case) and is unexpected, and therefore changed by this patch.

Additionally, --fragid 0:4294967295 leads to no output on `iptables
-S` because part of the code thinks that this would be the default,
when it is not.

So, default to match all frag values, such that iptables -S not
outputting anything also becomes correct.

Signed-off-by: Michal Kubecek <mkubecek@xxxxxxx>
Signed-off-by: Jan Engelhardt <jengelh@xxxxxxx>
---
 extensions/libip6t_frag.c |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)

diff --git a/extensions/libip6t_frag.c b/extensions/libip6t_frag.c
index d8bcaee..023df62 100644
--- a/extensions/libip6t_frag.c
+++ b/extensions/libip6t_frag.c
@@ -41,6 +41,13 @@ static const struct xt_option_entry frag_opts[] = {
 };
 #undef s
 
+static void frag_init(struct xt_entry_match *m)
+{
+	struct ip6t_frag *fraginfo = (void *)m->data;
+
+	fraginfo->ids[1] = ~0U;
+}
+
 static void frag_parse(struct xt_option_call *cb)
 {
 	struct ip6t_frag *fraginfo = cb->data;
@@ -173,6 +180,7 @@ static struct xtables_match frag_mt6_reg = {
 	.size          = XT_ALIGN(sizeof(struct ip6t_frag)),
 	.userspacesize = XT_ALIGN(sizeof(struct ip6t_frag)),
 	.help          = frag_help,
+	.init          = frag_init,
 	.print         = frag_print,
 	.save          = frag_save,
 	.x6_parse      = frag_parse,
-- 
# Created with git-export-patch
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html





