If protocol context specifies IPv6 on network layer, convert the payload
expression at hand into an exthdr one. OTOH, if network layer protocol
is not IPv4, bail out with an error since it is not clear what the user
wants in this case.
Signed-off-by: Phil Sutter <phil@xxxxxx>
---
src/evaluate.c | 30 ++++++++++++++++++++++++++++++
1 file changed, 30 insertions(+)
diff --git a/src/evaluate.c b/src/evaluate.c
index 27cee98916db0..9b28d5266135d 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -633,10 +633,40 @@ static bool payload_needs_adjustment(const struct expr *expr)
expr->len % BITS_PER_BYTE != 0;
}
+static int proto_desc2proto(const struct proto_desc *proto_desc)
+{
+ int i;
+
+ for (i = 0; i < NFPROTO_NUMPROTO; i++) {
+ if (hook_proto_desc[i].desc == proto_desc)
+ return i;
+ }
+
+ return NFPROTO_NUMPROTO;
+}
+
static int expr_evaluate_payload(struct eval_ctx *ctx, struct expr **exprp)
{
struct expr *expr = *exprp;
+ if (expr->payload.desc == &proto_ah) {
+ struct proto_desc *desc =
+ ctx->pctx.protocol[PROTO_BASE_NETWORK_HDR].desc;
+ switch (proto_desc2proto(desc)) {
+ case NFPROTO_IPV4:
+ break;
+ case NFPROTO_IPV6:
+ expr = exthdr_expr_alloc(&expr->location, &exthdr_ah,
+ expr->payload.type);
+ expr_free(*exprp);
+ *exprp = expr;
+ return expr_evaluate(ctx, exprp);
+ break;
+ default:
+ return expr_error(ctx->msgs, expr, "ah header match requires address family to be either IPv4 or IPv6 (got %d)", proto_desc2proto(desc));
+ }
+ }
+
if (__expr_evaluate_payload(ctx, expr) < 0)
return -1;
--
2.11.0
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
