Hi Phil,
On Thu, Jul 11, 2013 at 12:03:43PM -0700, Phil Oester wrote:
> As stated in RFC 4291:
>
> There are no broadcast addresses in IPv6, their function being
> superseded by multicast addresses.
>
> As such, the pkttype match should not allow IPv6 rules to be added
> which attempt to match broadcast packets. The addrtype match already
> rejects such attempts.
>
> Phil
>
> Signed-off-by: Phil Oester <kernel@xxxxxxxxxxxx>
>
>
> diff --git a/net/netfilter/xt_pkttype.c b/net/netfilter/xt_pkttype.c
> index 5b645cb..4c0b0e1 100644
> --- a/net/netfilter/xt_pkttype.c
> +++ b/net/netfilter/xt_pkttype.c
> @@ -42,13 +42,29 @@ pkttype_mt(const struct sk_buff *skb, struct xt_action_param *par)
> return (type == info->pkttype) ^ info->invert;
> }
>
> +static int pkttype_mt_checkentry(const struct xt_mtchk_param *par)
> +{
> + const struct xt_pkttype_info *info = par->matchinfo;
> +
> +#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
> + if (par->family == NFPROTO_IPV6) {
> + if (info->pkttype == PACKET_BROADCAST) {
> + pr_err("IPv6 does not support BROADCAST packets\n");
> + return -EINVAL;
> + }
> + }
pkttype is set from the ethernet layer, so it's still possible to
forge a packet using the ethernet broadcast address on IPv6 (even if
it's ilegal), we should allow our users to drop that from ip6tables.
> +#endif
> + return 0;
> +}
> +
> static struct xt_match pkttype_mt_reg __read_mostly = {
> - .name = "pkttype",
> - .revision = 0,
> - .family = NFPROTO_UNSPEC,
> - .match = pkttype_mt,
> - .matchsize = sizeof(struct xt_pkttype_info),
> - .me = THIS_MODULE,
> + .name = "pkttype",
> + .revision = 0,
> + .family = NFPROTO_UNSPEC,
> + .checkentry = pkttype_mt_checkentry,
> + .match = pkttype_mt,
> + .matchsize = sizeof(struct xt_pkttype_info),
> + .me = THIS_MODULE,
> };
>
> static int __init pkttype_mt_init(void)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
