[iptables PATCH] xtables: Drop use of IP6T_F_PROTO

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Setting this bit in cs->fw6.ipv6.flags was done only for rules parsed
from command line, not for those read from kernel. As a result,
appropriate rules could not be deleted. A simple test case is:

| # ip6tables-nft -A INPUT -p tcp -j ACCEPT
| # ip6tables-nft -D INPUT -p tcp -j ACCEPT
| iptables: Bad rule (does a matching rule exist in that chain?).

Since the flag is not used anywhere in xtables, dropping its use fixes
the bug as well as setting it in both cases.

Fixes: 5ee03e6df4172 ("xtables: Use meta l4proto for -p match")
Signed-off-by: Phil Sutter <phil@xxxxxx>
---
 iptables/nft-ipv6.c | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index 48a7cefe023bc..b1b20ba18d868 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -171,7 +171,6 @@ static void nft_ipv6_parse_payload(struct nft_xt_ctx *ctx,
 		break;
 	case offsetof(struct ip6_hdr, ip6_nxt):
 		get_cmp_data(e, &proto, sizeof(proto), &inv);
-		cs->fw6.ipv6.flags |= IP6T_F_PROTO;
 		cs->fw6.ipv6.proto = proto;
 		if (inv)
 			cs->fw6.ipv6.invflags |= IP6T_INV_PROTO;
@@ -325,9 +324,6 @@ static void nft_ipv6_proto_parse(struct iptables_command_state *cs,
 static void nft_ipv6_post_parse(int command, struct iptables_command_state *cs,
 				struct xtables_args *args)
 {
-	if (args->proto != 0)
-		args->flags |= IP6T_F_PROTO;
-
 	cs->fw6.ipv6.flags = args->flags;
 	/* We already set invflags in proto_parse, but we need to refresh it
 	 * to include new parsed options.
-- 
2.18.0




[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux