[PATCH nf] netfilter: nft_compat: set IP6T_F_PROTO flag if protocol is set

[PATCH nf] netfilter: nft_compat: set IP6T_F_PROTO flag if protocol is set

[Pablo Neira Ayuso]

ip6tables extensions check for this flag to restrict match/target to a
given protocol. Without this flag set, SYNPROXY6 returns an error.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nft_compat.c |    6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
index 213584c..65f3e2b 100644
--- a/net/netfilter/nft_compat.c
+++ b/net/netfilter/nft_compat.c
@@ -133,6 +133,9 @@ nft_target_set_tgchk_param(struct xt_tgchk_param *par,
 		entry->e4.ip.invflags = inv ? IPT_INV_PROTO : 0;
 		break;
 	case AF_INET6:
+		if (proto)
+			entry->e6.ipv6.flags |= IP6T_F_PROTO;
+
 		entry->e6.ipv6.proto = proto;
 		entry->e6.ipv6.invflags = inv ? IP6T_INV_PROTO : 0;
 		break;
@@ -344,6 +347,9 @@ nft_match_set_mtchk_param(struct xt_mtchk_param *par, const struct nft_ctx *ctx,
 		entry->e4.ip.invflags = inv ? IPT_INV_PROTO : 0;
 		break;
 	case AF_INET6:
+		if (proto)
+			entry->e6.ipv6.flags |= IP6T_F_PROTO;
+
 		entry->e6.ipv6.proto = proto;
 		entry->e6.ipv6.invflags = inv ? IP6T_INV_PROTO : 0;
 		break;
-- 
1.7.10.4

Re: [PATCH nf] netfilter: nft_compat: set IP6T_F_PROTO flag if protocol is set

[Patrick McHardy]

On 21.03, Pablo Neira Ayuso wrote:
> ip6tables extensions check for this flag to restrict match/target to a
> given protocol. Without this flag set, SYNPROXY6 returns an error.

That looks like the correct solution to me, thanks!

I guess we should also fix all the ip6_tables extensions that think
they're matching on the L4 protocol but are actually not enforcing
this.

> 
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> ---
>  net/netfilter/nft_compat.c |    6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
> index 213584c..65f3e2b 100644
> --- a/net/netfilter/nft_compat.c
> +++ b/net/netfilter/nft_compat.c
> @@ -133,6 +133,9 @@ nft_target_set_tgchk_param(struct xt_tgchk_param *par,
>  		entry->e4.ip.invflags = inv ? IPT_INV_PROTO : 0;
>  		break;
>  	case AF_INET6:
> +		if (proto)
> +			entry->e6.ipv6.flags |= IP6T_F_PROTO;
> +
>  		entry->e6.ipv6.proto = proto;
>  		entry->e6.ipv6.invflags = inv ? IP6T_INV_PROTO : 0;
>  		break;
> @@ -344,6 +347,9 @@ nft_match_set_mtchk_param(struct xt_mtchk_param *par, const struct nft_ctx *ctx,
>  		entry->e4.ip.invflags = inv ? IPT_INV_PROTO : 0;
>  		break;
>  	case AF_INET6:
> +		if (proto)
> +			entry->e6.ipv6.flags |= IP6T_F_PROTO;
> +
>  		entry->e6.ipv6.proto = proto;
>  		entry->e6.ipv6.invflags = inv ? IP6T_INV_PROTO : 0;
>  		break;
> -- 
> 1.7.10.4
> 
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

Re: [PATCH nf] netfilter: nft_compat: set IP6T_F_PROTO flag if protocol is set

[Pablo Neira Ayuso]

On Sat, Mar 21, 2015 at 06:45:09PM +0000, Patrick McHardy wrote:
> On 21.03, Pablo Neira Ayuso wrote:
> > ip6tables extensions check for this flag to restrict match/target to a
> > given protocol. Without this flag set, SYNPROXY6 returns an error.
> 
> That looks like the correct solution to me, thanks!
>
> I guess we should also fix all the ip6_tables extensions that think
> they're matching on the L4 protocol but are actually not enforcing
> this.

I'll send a follow up patch to fix this. Thanks for reviewing!