Patchwork [RFC,2/2] icmp6: match on errors and informational messages

login
register
mail settings
Submitter holger@eitzenberger.org
Date April 3, 2013, 2:27 p.m.
Message ID <20130403144245.789797754@eitzenberger.org>
Download mbox | patch
Permalink /patch/233498/
State RFC
Headers show

Comments

holger@eitzenberger.org - April 3, 2013, 2:27 p.m.
Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>


--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

Index: linux-stable-3.8.y/include/uapi/linux/netfilter_ipv6/ip6_tables.h
===================================================================
--- linux-stable-3.8.y.orig/include/uapi/linux/netfilter_ipv6/ip6_tables.h	2013-04-03 09:59:41.000000000 +0200
+++ linux-stable-3.8.y/include/uapi/linux/netfilter_ipv6/ip6_tables.h	2013-04-03 15:20:25.000000000 +0200
@@ -185,11 +185,14 @@ 
 struct ip6t_icmp {
 	__u8 type;				/* type to match */
 	__u8 code[2];				/* range of code */
-	__u8 invflags;				/* Inverse flags */
+	__u8 flags;
 };
 
 /* Values for "inv" field for struct ipt_icmp. */
 #define IP6T_ICMP_INV	0x01	/* Invert the sense of type/code test */
+#define IP6T_ICMP_ERROR 0x02	/* Match any error type */
+#define IP6T_ICMP_INFO	0x04	/* Match any informational type */
+#define IP6T_ICMP_MASK	0x07
 
 /* The argument to IP6T_SO_GET_INFO */
 struct ip6t_getinfo {
Index: linux-stable-3.8.y/net/ipv6/netfilter/ip6_tables.c
===================================================================
--- linux-stable-3.8.y.orig/net/ipv6/netfilter/ip6_tables.c	2013-04-03 09:59:41.000000000 +0200
+++ linux-stable-3.8.y/net/ipv6/netfilter/ip6_tables.c	2013-04-03 15:19:26.000000000 +0200
@@ -2149,11 +2149,15 @@ 
 		return false;
 	}
 
+	if (icmpinfo->flags & IP6T_ICMP_ERROR)
+		return ic->icmp6_type < ICMPV6_ECHO_REQUEST;
+	if (icmpinfo->flags & IP6T_ICMP_INFO)
+		return ic->icmp6_type >= ICMPV6_ECHO_REQUEST;
 	return icmp6_type_code_match(icmpinfo->type,
 				     icmpinfo->code[0],
 				     icmpinfo->code[1],
 				     ic->icmp6_type, ic->icmp6_code,
-				     !!(icmpinfo->invflags&IP6T_ICMP_INV));
+				     !!(icmpinfo->flags & IP6T_ICMP_INV));
 }
 
 /* Called when user tries to insert an entry of this type. */
@@ -2161,8 +2165,8 @@ 
 {
 	const struct ip6t_icmp *icmpinfo = par->matchinfo;
 
-	/* Must specify no unknown invflags */
-	return (icmpinfo->invflags & ~IP6T_ICMP_INV) ? -EINVAL : 0;
+	/* Must specify no unknown flags */
+	return (icmpinfo->flags & ~IP6T_ICMP_MASK) ? -EINVAL : 0;
 }
 
 /* The built-in targets: standard (NULL) and error. */