On Tue, Apr 04, 2017 at 08:46:46PM +0200, Florian Westphal wrote: > if kernel is older it won't understand the EXTHDR_OP attribute, i.e. > the rule gets accepted as a check for ipv6 exthdr. > > On dump nft is then presented with a invalid ipv6 exthdr. > So we need to get rid of the assert and output an "invalid" message on > list. Longterm we need a proper vm description or kernel-side check > to reject such messages in first place. > > After patch, test suite yields erros of type > ip6/tcpopt.t: WARNING: 'src/nft add rule --debug=netlink ip6 test-ip6 \ > input tcp option sack right 1': 'tcp option sack right 1' mismatches > 'ip6 nexthdr 6 unknown-exthdr unknown 0x1 [invalid type]' > > Signed-off-by: Florian Westphal <fw@xxxxxxxxx> Acked-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
