On Tue, Jun 07, 2016 at 09:33:13AM +0200, Laura Garcia Liebana wrote:
> diff --git a/extensions/libip6t_frag.c b/extensions/libip6t_frag.c
> index 023df62..7871fb9 100644
> --- a/extensions/libip6t_frag.c
> +++ b/extensions/libip6t_frag.c
> @@ -173,6 +173,35 @@ static void frag_save(const void *ip, const struct xt_entry_match *match)
> printf(" --fraglast");
> }
>
> +static int frag_xlate(const void *ip, const struct xt_entry_match *match,
> + struct xt_xlate *xl, int numeric)
> +{
> + const struct ip6t_frag *fraginfo = (struct ip6t_frag *)match->data;
> +
> + if (!(fraginfo->ids[0] == 0 && fraginfo->ids[1] == 0xFFFFFFFF)) {
> + xt_xlate_add(xl, "frag id %s",
> + (fraginfo->invflags & IP6T_FRAG_INV_IDS) ?
> + "!= " : "");
> + if (fraginfo->ids[0] != fraginfo->ids[1])
> + xt_xlate_add(xl, "%u-%u ", fraginfo->ids[0],
> + fraginfo->ids[1]);
> + else
> + xt_xlate_add(xl, "%u ", fraginfo->ids[0]);
> + }
> +
> + if (fraginfo->flags & IP6T_FRAG_RES)
> + xt_xlate_add(xl, "frag reserved 1 ");
> +
> + if (fraginfo->flags & IP6T_FRAG_FST)
> + xt_xlate_add(xl, "frag frag-off 0 ");
> +
> + if ((fraginfo->flags & IP6T_FRAG_MF) ||
> + (fraginfo->flags & IP6T_FRAG_NMF))
> + xt_xlate_add(xl, "frag more-fragments 1 ");
I think IP6T_FRAG_NMF means no more fragments, ie. frag more-fragments 0.
While IP6T_FRAG_MF means more fragments, ie. frag more-fragments 1.
Please, review the logic that we have in the kernel module when
providing correct translations.
http://lxr.free-electrons.com/source/net/ipv6/netfilter/ip6t_frag.c
It would be also good if you test these rules from the packet path, by
generating traffic to trigger matches, not only from a control plane
perspective.
Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
