ip6 nexthdr tcp tcp dport 22
will now inject a (useless) meta l4 dependency as ip6 nexthdr is no
longer flagged as EXPR_F_PROTOCOL.
Avoid this if user really specified a test for ip6hdr->nexthdr.
Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
src/payload.c | 19 ++++++++++++++++++-
1 file changed, 18 insertions(+), 1 deletion(-)
diff --git a/src/payload.c b/src/payload.c
index 55128fee1498..3a3fe8de97cf 100644
--- a/src/payload.c
+++ b/src/payload.c
@@ -117,6 +117,23 @@ static const struct expr_ops payload_expr_ops = {
.pctx_update = payload_expr_pctx_update,
};
+/*
+ * ipv6 is special case, we normally use 'meta l4proto' to fetch the last
+ * l4 header of the ipv6 extension header chain so we will also match
+ * tcp after a fragmentation header, for instance.
+ *
+ * If user specifically asks for nexthdr x, treat is as a full
+ * dependency rather than injecting another (useless) meta l4 one.
+ */
+static bool proto_key_is_protocol(const struct proto_desc *desc, unsigned int type)
+{
+ if (type == desc->protocol_key ||
+ (desc == &proto_ip6 && type == IP6HDR_NEXTHDR))
+ return true;
+
+ return false;
+}
+
struct expr *payload_expr_alloc(const struct location *loc,
const struct proto_desc *desc,
unsigned int type)
@@ -129,7 +146,7 @@ struct expr *payload_expr_alloc(const struct location *loc,
if (desc != NULL) {
tmpl = &desc->templates[type];
base = desc->base;
- if (type == desc->protocol_key)
+ if (proto_key_is_protocol(desc, type))
flags = EXPR_F_PROTOCOL;
} else {
tmpl = &proto_unknown_template;
--
2.10.2
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
