[NETFILTER]: ip6t_mh: drop piggyback payload packet on MH packets
Regarding RFC3775, MH payload proto field should be IPPROTO_NONE. Otherwise it must be discarded (and the receiver should send ICMP error). We assume filter should drop such piggyback everytime to disallow slipping through firewall rules, even the final receiver will discard it. Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
601e68e100
commit
138939e066
1 changed files with 7 additions and 0 deletions
|
@ -66,6 +66,13 @@ match(const struct sk_buff *skb,
|
|||
return 0;
|
||||
}
|
||||
|
||||
if (mh->ip6mh_proto != IPPROTO_NONE) {
|
||||
duprintf("Dropping invalid MH Payload Proto: %u\n",
|
||||
mh->ip6mh_proto);
|
||||
*hotdrop = 1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
return type_match(mhinfo->types[0], mhinfo->types[1], mh->ip6mh_type,
|
||||
!!(mhinfo->invflags & IP6T_MH_INV_TYPE));
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue