From: Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp>
Date: Mon, 8 Sep 2008 06:32:34 +0000 (+0900)
Subject: netfilter: ip6t_{hbh,dst}: Rejects not-strict mode on rule insertion
X-Git-Url: http://git.osdn.net/view?p=linux-kernel-docs%2Flinux-2.4.36.git;a=commitdiff_plain;h=59a1f6d68cdd824f303554922a77ddaf0a2a887e

netfilter: ip6t_{hbh,dst}: Rejects not-strict mode on rule insertion

[2.6 commit: 8ca31ce52a5cfd03b960fd81a49197ae85d25347]

The current code ignores rules for internal options in HBH/DST options
header in packet processing if 'Not strict' mode is specified (which is not
implemented). Clearly it is not expected by user.

Kernel should reject HBH/DST rule insertion with 'Not strict' mode
in the first place.

Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Willy Tarreau <w@1wt.eu>
---

diff --git a/net/ipv6/netfilter/ip6t_dst.c b/net/ipv6/netfilter/ip6t_dst.c
index 65213e95..70b7f893 100644
--- a/net/ipv6/netfilter/ip6t_dst.c
+++ b/net/ipv6/netfilter/ip6t_dst.c
@@ -172,8 +172,6 @@ match(const struct sk_buff *skb,
        hdrlen -= 2;
        if ( !(optinfo->flags & IP6T_OPTS_OPTS) ){
 	       return ret;
-	} else if (optinfo->flags & IP6T_OPTS_NSTRICT) {
-		DEBUGP("Not strict - not implemented");
 	} else {
 		DEBUGP("Strict ");
 		DEBUGP("#%d ",optinfo->optsnr);
@@ -253,6 +251,10 @@ checkentry(const char *tablename,
                       optsinfo->invflags);
               return 0;
        }
+       if (optsinfo->flags & IP6T_OPTS_NSTRICT) {
+	       DEBUGP("ip6t_opts: Not strict - not implemented");
+	       return 0;
+       }
 
        return 1;
 }
diff --git a/net/ipv6/netfilter/ip6t_hbh.c b/net/ipv6/netfilter/ip6t_hbh.c
index b37e4ce0..63f9980c 100644
--- a/net/ipv6/netfilter/ip6t_hbh.c
+++ b/net/ipv6/netfilter/ip6t_hbh.c
@@ -172,8 +172,6 @@ match(const struct sk_buff *skb,
        hdrlen -= 2;
        if ( !(optinfo->flags & IP6T_OPTS_OPTS) ){
 	       return ret;
-	} else if (optinfo->flags & IP6T_OPTS_NSTRICT) {
-		DEBUGP("Not strict - not implemented");
 	} else {
 		DEBUGP("Strict ");
 		DEBUGP("#%d ",optinfo->optsnr);
@@ -253,6 +251,10 @@ checkentry(const char *tablename,
                       optsinfo->invflags);
               return 0;
        }
+       if (optsinfo->flags & IP6T_OPTS_NSTRICT) {
+	       DEBUGP("ip6t_opts: Not strict - not implemented");
+	       return 0;
+       }
 
        return 1;
 }