Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
iptables: Set ip6t_ip6 flags if IPv6 rule protocol is set.
Flags is required to be set as IP6T_F_PROTO if protocol for IPv6 rule is
being set (INCLUDEDIR/linux/netfilter_ipv6/ip6_tables.h). Without this
being set, ICMPv6 rules, for example, are installed to ip6tables but no
packet matches the rule as protocol check is skipped in kernel.
  • Loading branch information
LaakkonenJussi committed Jan 17, 2019
1 parent 0e7dcd0 commit fc3068b
Showing 1 changed file with 12 additions and 1 deletion.
13 changes: 12 additions & 1 deletion connman/src/iptables.c
Expand Up @@ -2959,6 +2959,10 @@ static int parse_xt_modules(int c, bool invert,
ctx->proto = IPPROTO_IPV6;

fw6.ipv6.proto = ctx->proto;

/* Flags must be set for IPv6 if protocol is set. */
fw6.ipv6.flags |= IP6T_F_PROTO;

break;
default:
return 0;
Expand Down Expand Up @@ -3261,8 +3265,15 @@ static int parse_rule_spec(struct connman_iptables *table,
if (ctx->type == AF_INET)
ctx->ip->proto = ctx->proto;

if (ctx->type == AF_INET6)
if (ctx->type == AF_INET6) {
ctx->ipv6->proto = ctx->proto;

/*
* Flags must be set for IPv6 if
* protocol is set.
*/
ctx->ipv6->flags |= IP6T_F_PROTO;
}
}
break;
case 'j':
Expand Down

0 comments on commit fc3068b

Please sign in to comment.