Commit 138939e0 authored by Masahide NAKAMURA's avatar Masahide NAKAMURA Committed by David S. Miller

[NETFILTER]: ip6t_mh: drop piggyback payload packet on MH packets

Regarding RFC3775, MH payload proto field should be IPPROTO_NONE. Otherwise
it must be discarded (and the receiver should send ICMP error).

We assume filter should drop such piggyback everytime to disallow slipping
through firewall rules, even the final receiver will discard it.
Signed-off-by: default avatarMasahide NAKAMURA <nakam@linux-ipv6.org>
Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 601e68e1
...@@ -66,6 +66,13 @@ match(const struct sk_buff *skb, ...@@ -66,6 +66,13 @@ match(const struct sk_buff *skb,
return 0; return 0;
} }
if (mh->ip6mh_proto != IPPROTO_NONE) {
duprintf("Dropping invalid MH Payload Proto: %u\n",
mh->ip6mh_proto);
*hotdrop = 1;
return 0;
}
return type_match(mhinfo->types[0], mhinfo->types[1], mh->ip6mh_type, return type_match(mhinfo->types[0], mhinfo->types[1], mh->ip6mh_type,
!!(mhinfo->invflags & IP6T_MH_INV_TYPE)); !!(mhinfo->invflags & IP6T_MH_INV_TYPE));
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment