From fc3068b0b8c063db4790fe9233c173bc804967d2 Mon Sep 17 00:00:00 2001 From: Jussi Laakkonen Date: Thu, 17 Jan 2019 14:18:25 +0200 Subject: [PATCH] iptables: Set ip6t_ip6 flags if IPv6 rule protocol is set. Flags is required to be set as IP6T_F_PROTO if protocol for IPv6 rule is being set (INCLUDEDIR/linux/netfilter_ipv6/ip6_tables.h). Without this being set, ICMPv6 rules, for example, are installed to ip6tables but no packet matches the rule as protocol check is skipped in kernel. --- connman/src/iptables.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/connman/src/iptables.c b/connman/src/iptables.c index b1863f79e..1211f97dc 100644 --- a/connman/src/iptables.c +++ b/connman/src/iptables.c @@ -2959,6 +2959,10 @@ static int parse_xt_modules(int c, bool invert, ctx->proto = IPPROTO_IPV6; fw6.ipv6.proto = ctx->proto; + + /* Flags must be set for IPv6 if protocol is set. */ + fw6.ipv6.flags |= IP6T_F_PROTO; + break; default: return 0; @@ -3261,8 +3265,15 @@ static int parse_rule_spec(struct connman_iptables *table, if (ctx->type == AF_INET) ctx->ip->proto = ctx->proto; - if (ctx->type == AF_INET6) + if (ctx->type == AF_INET6) { ctx->ipv6->proto = ctx->proto; + + /* + * Flags must be set for IPv6 if + * protocol is set. + */ + ctx->ipv6->flags |= IP6T_F_PROTO; + } } break; case 'j':