[PATCH 2.6]: ip6t_{hbh,dst}: Rejects not-strict mode on rule insersion

[PATCH 2.6]: ip6t_{hbh,dst}: Rejects not-strict mode on rule insersion

[Yasuyuki KOZAKAI]

Hi Patrick,

Please apply the following patch. The option IP6T_OPTS_NSTRICT causes to
ignore rules for options in HBH/DST header.

I think this issue affects few users. Because fortunately (?) man page and
'ip6tables -m hbh --help' does not show --hbh-not-strict option, and
'ip6tables ... --hbh-not-strict' does not work due to incorrect has_arg
value in userland libip6t_hbh.c ;)

I will implement not-strict mode, so the patch leaves the definition of
IP6T_OPTS_NSTRICT. The strict mode is too strict (the specified options
have to be included in order in HBH/DST header) and would be useless
in most senarios.

Regards,


[NETFILTER]: ip6t_{hbh,dst}: Rejects not-strict mode on rule insertion

The current code ignores rules for internal options in HBH/DST options
header in packet processing if 'Not strict' mode is specified (which is not
implemented). Clearly it is not expected by user.

Kernel should reject HBH/DST rule insertion with 'Not strict' mode
in the first place.

Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
---
 net/ipv6/netfilter/ip6t_hbh.c |    8 ++++++--
 1 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/net/ipv6/netfilter/ip6t_hbh.c b/net/ipv6/netfilter/ip6t_hbh.c
index 62e39ac..26654b2 100644
--- a/net/ipv6/netfilter/ip6t_hbh.c
+++ b/net/ipv6/netfilter/ip6t_hbh.c
@@ -97,8 +97,6 @@ hbh_mt6(const struct sk_buff *skb, const struct net_device *in,
 	hdrlen -= 2;
 	if (!(optinfo->flags & IP6T_OPTS_OPTS)) {
 		return ret;
-	} else if (optinfo->flags & IP6T_OPTS_NSTRICT) {
-		pr_debug("Not strict - not implemented");
 	} else {
 		pr_debug("Strict ");
 		pr_debug("#%d ", optinfo->optsnr);
@@ -177,6 +175,12 @@ hbh_mt6_check(const char *tablename, const void *entry,
 		pr_debug("ip6t_opts: unknown flags %X\n", optsinfo->invflags);
 		return false;
 	}
+
+	if (optsinfo->flags & IP6T_OPTS_NSTRICT) {
+		pr_debug("ip6t_opts: Not strict - not implemented");
+		return false;
+	}
+
 	return true;
 }
 
-- 
1.5.3.6

Re: [PATCH 2.6]: ip6t_{hbh,dst}: Rejects not-strict mode on rule insersion

[Patrick McHardy]

Yasuyuki KOZAKAI wrote:
> Hi Patrick,
> 
> Please apply the following patch. The option IP6T_OPTS_NSTRICT causes to
> ignore rules for options in HBH/DST header.
> 
> I think this issue affects few users. Because fortunately (?) man page and
> 'ip6tables -m hbh --help' does not show --hbh-not-strict option, and
> 'ip6tables ... --hbh-not-strict' does not work due to incorrect has_arg
> value in userland libip6t_hbh.c ;)
> 
> I will implement not-strict mode, so the patch leaves the definition of
> IP6T_OPTS_NSTRICT. The strict mode is too strict (the specified options
> have to be included in order in HBH/DST header) and would be useless
> in most senarios.

Since my knowledge of this quite limited - is this fix important
enough so it should go in 2.6.27, or is queuing it for 2.6.28 OK
too?

Re: [PATCH 2.6]: ip6t_{hbh,dst}: Rejects not-strict mode on rule insersion

[Yasuyuki KOZAKAI]

From: Patrick McHardy <kaber@trash.net>
Date: Tue, 09 Sep 2008 08:54:00 +0200

> Yasuyuki KOZAKAI wrote:
> > Hi Patrick,
> > 
> > Please apply the following patch. The option IP6T_OPTS_NSTRICT causes to
> > ignore rules for options in HBH/DST header.
> > 
> > I think this issue affects few users. Because fortunately (?) man page and
> > 'ip6tables -m hbh --help' does not show --hbh-not-strict option, and
> > 'ip6tables ... --hbh-not-strict' does not work due to incorrect has_arg
> > value in userland libip6t_hbh.c ;)
> > 
> > I will implement not-strict mode, so the patch leaves the definition of
> > IP6T_OPTS_NSTRICT. The strict mode is too strict (the specified options
> > have to be included in order in HBH/DST header) and would be useless
> > in most senarios.
> 
> Since my knowledge of this quite limited - is this fix important
> enough so it should go in 2.6.27, or is queuing it for 2.6.28 OK
> too?

Actually I am torn between them. I think this is security issue, like that
'iptables -p tcp -j DROP' does not drop TCP packets.
But no ip6tables user meet this issue because of has_arg bug.

I prefer 2.6.27 so that I don't need to fear rare case in several months :)

-- Yasuyuki Kozakai

Re: [PATCH 2.6]: ip6t_{hbh,dst}: Rejects not-strict mode on rule insersion

[Patrick McHardy]

Yasuyuki KOZAKAI wrote:
> From: Patrick McHardy <kaber@trash.net>
> Date: Tue, 09 Sep 2008 08:54:00 +0200
> 
>> Yasuyuki KOZAKAI wrote:
>>> Hi Patrick,
>>>
>>> Please apply the following patch. The option IP6T_OPTS_NSTRICT causes to
>>> ignore rules for options in HBH/DST header.
>>>
>>> I think this issue affects few users. Because fortunately (?) man page and
>>> 'ip6tables -m hbh --help' does not show --hbh-not-strict option, and
>>> 'ip6tables ... --hbh-not-strict' does not work due to incorrect has_arg
>>> value in userland libip6t_hbh.c ;)
>>>
>>> I will implement not-strict mode, so the patch leaves the definition of
>>> IP6T_OPTS_NSTRICT. The strict mode is too strict (the specified options
>>> have to be included in order in HBH/DST header) and would be useless
>>> in most senarios.
>> Since my knowledge of this quite limited - is this fix important
>> enough so it should go in 2.6.27, or is queuing it for 2.6.28 OK
>> too?
> 
> Actually I am torn between them. I think this is security issue, like that
> 'iptables -p tcp -j DROP' does not drop TCP packets.
> But no ip6tables user meet this issue because of has_arg bug.
> 
> I prefer 2.6.27 so that I don't need to fear rare case in several months :)

Applied, thanks, and sorry for the delay.