• Florian Westphal's avatar
    ipv6: re-enable fragment header matching in ipv6_find_hdr · f05ebc68
    Florian Westphal authored
    commit 5d150a98 upstream.
    
    When ipv6_find_hdr is used to find a fragment header
    (caller specifies target NEXTHDR_FRAGMENT) we erronously return
    -ENOENT for all fragments with nonzero offset.
    
    Before commit 9195bb8e, when target was specified, we did not
    enter the exthdr walk loop as nexthdr == target so this used to work.
    
    Now we do (so we can skip empty route headers). When we then stumble upon
    a frag with nonzero frag_off we must return -ENOENT ("header not found")
    only if the caller did not specifically request NEXTHDR_FRAGMENT.
    
    This allows nfables exthdr expression to match ipv6 fragments, e.g. via
    
    nft add rule ip6 filter input frag frag-off gt 0
    
    Fixes: 9195bb8e ("ipv6: improve ipv6_find_hdr() to skip empty routing headers")
    Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
    f05ebc68
exthdrs_core.c 7.58 KB