diff options
| author | Masahide NAKAMURA <nakam@linux-ipv6.org> | 2007-02-12 11:16:17 -0800 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2007-02-12 11:16:17 -0800 |
| commit | 138939e0662ccb0e805aefe400bcf9cfcbece8e7 (patch) | |
| tree | 9c3ec935238bc2850435230b099c12dfc216f1dc | |
| parent | 601e68e100b6bf8ba13a32db8faf92d43acaa997 (diff) | |
| download | linux-3.10-138939e0662ccb0e805aefe400bcf9cfcbece8e7.tar.gz linux-3.10-138939e0662ccb0e805aefe400bcf9cfcbece8e7.tar.bz2 linux-3.10-138939e0662ccb0e805aefe400bcf9cfcbece8e7.zip | |
[NETFILTER]: ip6t_mh: drop piggyback payload packet on MH packets
Regarding RFC3775, MH payload proto field should be IPPROTO_NONE. Otherwise
it must be discarded (and the receiver should send ICMP error).
We assume filter should drop such piggyback everytime to disallow slipping
through firewall rules, even the final receiver will discard it.
Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | net/ipv6/netfilter/ip6t_mh.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/net/ipv6/netfilter/ip6t_mh.c b/net/ipv6/netfilter/ip6t_mh.c index 2c7efc6a506..c2a909893a6 100644 --- a/net/ipv6/netfilter/ip6t_mh.c +++ b/net/ipv6/netfilter/ip6t_mh.c @@ -66,6 +66,13 @@ match(const struct sk_buff *skb, return 0; } + if (mh->ip6mh_proto != IPPROTO_NONE) { + duprintf("Dropping invalid MH Payload Proto: %u\n", + mh->ip6mh_proto); + *hotdrop = 1; + return 0; + } + return type_match(mhinfo->types[0], mhinfo->types[1], mh->ip6mh_type, !!(mhinfo->invflags & IP6T_MH_INV_TYPE)); } |