On Mon, Feb 29, 2016 at 3:36 PM, Florian Westphal <f...@strlen.de> wrote:
> Shivani Bhardwaj <shivanib...@gmail.com> wrote:
>> Change the data type of len from unsigned int to int in order to make
>> it valid for checks like
>>
>> if (len < 0)
>>
>> The issue was brought into attention by the unexplained behavior of
>> frag with frag-off. Bugzilla entry:
>> https://bugzilla.netfilter.org/show_bug.cgi?id=935
>>
>> This patch fixes this bug, however there are still issues with frag
>> that need to be fixed.
>
> exthdr (frag) seems to have several issues:
>
> - we should reject exthdr and only allow it with ipv6.
> - for inet/bridge, we should also inject ipv6 dependency
> - some exthdrs (frag for instance) have odd bit lengths
> and need mask/shift instructions.
>
> For example, in your example rule we generate:
> [ exthdr load 1b @ 44 + 2 => reg 1 ]
> [ cmp eq reg 1 0x00002100 ]
>
> But thats not correct -- we truncated the load to one byte.
> Instead we should have loaded 2 bytes and then masked off the extra 3bits.
>
> I'll work on this.
In the chain this rule shows up as
chain input {
type filter hook input priority 0; policy accept;
frag unknown 0x0 [invalid type]
}
This is also the case with some icmpv6 options (id and max-delay),
please take a note of this too.
Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
