On Thu, 2013-05-02 at 00:23 +0200, Pablo Neira Ayuso wrote:
> On Wed, May 01, 2013 at 08:02:35PM +0200, Anders K. Pedersen | Surftown wrote:
> > + if (ntohs(iph->frag_off) & IP_OFFSET)
> > + switch (protocol) {
> > + case IPPROTO_TCP:
> > + case IPPROTO_SCTP:
> > + case IPPROTO_UDP:
> > + case IPPROTO_UDPLITE:
> > + case IPPROTO_ICMP:
> > + /* Port info not available for fragment offset > 0 */
> > + return false;
>
> You can probably use proto_ports_offset for this?
I'm not sure that is a good idea. The protocols in proto_ports_offset()
doesn't match what ipset supports:
static inline int proto_ports_offset(int proto)
{
switch (proto) {
case IPPROTO_TCP:
case IPPROTO_UDP:
case IPPROTO_DCCP:
case IPPROTO_ESP: /* SPI */
case IPPROTO_SCTP:
case IPPROTO_UDPLITE:
return 0;
case IPPROTO_AH: /* SPI */
return 4;
default:
return -EINVAL;
}
}
Ports for DCCP, ESP, and AH aren't supported by ipset. I could add that
support, but I don't think it makes sense for ipset to match on SPI for
ESP and AH?
--
Venlig hilsen / Best Regards
Anders K. Pedersen
Surftown A/S
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
