From patchwork Thu Jul 11 19:03:43 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Oester X-Patchwork-Id: 258609 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id D72F12C0341 for ; Fri, 12 Jul 2013 05:03:47 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756548Ab3GKTDq (ORCPT ); Thu, 11 Jul 2013 15:03:46 -0400 Received: from mail-pa0-f46.google.com ([209.85.220.46]:52755 "EHLO mail-pa0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756514Ab3GKTDp (ORCPT ); Thu, 11 Jul 2013 15:03:45 -0400 Received: by mail-pa0-f46.google.com with SMTP id fa11so8167107pad.19 for ; Thu, 11 Jul 2013 12:03:45 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=date:from:to:cc:subject:message-id:mime-version:content-type :content-disposition:user-agent:x-gm-message-state; bh=GGFEUYDu6jn8xQy9+ETpXOHeYkN+q2pFg/bgSBlWqms=; b=il73iOvfQ8k+0sIXykVHrsxe8KfejoLcn6iWHhWvUOxupdq8ZJLtXsgwkyEzILUP4G tJBUcW9ZTEZwn9BIOKGZQTlIj+3dSRMXzPc8Af+WfngNG3tey0/zAGzHImEaL5wQ9KoF soRK8kHJPyc7A5QugnpF0kl8sAzhO5/TAr7yn9+lOFODrhV0YEL7aMb5D5vXIJIJR5co dy50Mx3K2PlyF0KQXxRWjipzBfQNkkzz4VLpS65r8MBAD3/mE8QSM8jVzTiQnV0+LK2P jjdiMSisOQzmpn/YdcMm16ekLqIDJ4CpgCsnU8XPaxajuDu3f1zio/Wv/mkXlyJd3CWH 7jtw== X-Received: by 10.67.14.100 with SMTP id ff4mr39037987pad.174.1373569425302; Thu, 11 Jul 2013 12:03:45 -0700 (PDT) Received: from linuxace.com (cpe-76-171-169-87.socal.res.rr.com. [76.171.169.87]) by mx.google.com with ESMTPSA id yj2sm41073354pbb.40.2013.07.11.12.03.43 for (version=TLSv1 cipher=RC4-SHA bits=128/128); Thu, 11 Jul 2013 12:03:44 -0700 (PDT) Date: Thu, 11 Jul 2013 12:03:43 -0700 From: Phil Oester To: netfilter-devel@vger.kernel.org Cc: pablo@netfilter.org Subject: [PATCH] netfilter: xt_pkttype: IPv6 has no broadcast Message-ID: <20130711190343.GA25293@linuxace.com> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) X-Gm-Message-State: ALoCoQnF8Y2l1i7JS/KTvuHGF4guaN7OcohnN8RvQs6umgY4vA1naNIcy0Ve5J17ZQA8jIVqixkQ Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org As stated in RFC 4291: There are no broadcast addresses in IPv6, their function being superseded by multicast addresses. As such, the pkttype match should not allow IPv6 rules to be added which attempt to match broadcast packets. The addrtype match already rejects such attempts. Phil Signed-off-by: Phil Oester diff --git a/net/netfilter/xt_pkttype.c b/net/netfilter/xt_pkttype.c index 5b645cb..4c0b0e1 100644 --- a/net/netfilter/xt_pkttype.c +++ b/net/netfilter/xt_pkttype.c @@ -42,13 +42,29 @@ pkttype_mt(const struct sk_buff *skb, struct xt_action_param *par) return (type == info->pkttype) ^ info->invert; } +static int pkttype_mt_checkentry(const struct xt_mtchk_param *par) +{ + const struct xt_pkttype_info *info = par->matchinfo; + +#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) + if (par->family == NFPROTO_IPV6) { + if (info->pkttype == PACKET_BROADCAST) { + pr_err("IPv6 does not support BROADCAST packets\n"); + return -EINVAL; + } + } +#endif + return 0; +} + static struct xt_match pkttype_mt_reg __read_mostly = { - .name = "pkttype", - .revision = 0, - .family = NFPROTO_UNSPEC, - .match = pkttype_mt, - .matchsize = sizeof(struct xt_pkttype_info), - .me = THIS_MODULE, + .name = "pkttype", + .revision = 0, + .family = NFPROTO_UNSPEC, + .checkentry = pkttype_mt_checkentry, + .match = pkttype_mt, + .matchsize = sizeof(struct xt_pkttype_info), + .me = THIS_MODULE, }; static int __init pkttype_mt_init(void)