On Fri, May 19, 2017 at 10:11:04PM +0200, Florian Westphal wrote: > Currently nft inserts different types of dependencies for l4 protocols, > depending on the family. > > For inet, nft inserts 'meta l4proto' to e.g. check for tcp, for > ip, nft uses 'ip protocol'. Both are fine. The ip6 family however > uses 'ip6 nexthdr', and thats a problem because e.g. tcp dport 22 will > not match packets that use ipv6 extension headers. > > The series switches both ipv6 and ipv4 to use meta l4 instead > so ipv6 will always check the last transport header value. > > We could ignore ip as only ipv6 uses extension headers. > However, switching ipv4 as well makes things a bit simpler because nft > then creates the same l4 dependency for all families. Acked-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> Thanks Florian. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
