Commit fc3068b0 authored by Jussi Laakkonen's avatar Jussi Laakkonen

iptables: Set ip6t_ip6 flags if IPv6 rule protocol is set.

Flags is required to be set as IP6T_F_PROTO if protocol for IPv6 rule is
being set (INCLUDEDIR/linux/netfilter_ipv6/ip6_tables.h). Without this
being set, ICMPv6 rules, for example, are installed to ip6tables but no
packet matches the rule as protocol check is skipped in kernel.
parent 0e7dcd0a
......@@ -2959,6 +2959,10 @@ static int parse_xt_modules(int c, bool invert,
ctx->proto = IPPROTO_IPV6;
fw6.ipv6.proto = ctx->proto;
/* Flags must be set for IPv6 if protocol is set. */
fw6.ipv6.flags |= IP6T_F_PROTO;
break;
default:
return 0;
......@@ -3261,8 +3265,15 @@ static int parse_rule_spec(struct connman_iptables *table,
if (ctx->type == AF_INET)
ctx->ip->proto = ctx->proto;
if (ctx->type == AF_INET6)
if (ctx->type == AF_INET6) {
ctx->ipv6->proto = ctx->proto;
/*
* Flags must be set for IPv6 if
* protocol is set.
*/
ctx->ipv6->flags |= IP6T_F_PROTO;
}
}
break;
case 'j':
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment