I think the following patch makes MAC address filtering work better in
the FORWARD chain. The problem in the original code is that it uses
skb->len in determining whether or not the packet being filtered has
enough bytes to contain a MAC address, but that field is not necessarily
valid when the filtering code gets called in the FORWARD chain. Using
just skb->head and skb->tail in the bounds checking avoids that problem.
Berend
diff -u linux/net/ipv4/netfilter/ipt_mac.c{.original,}
--- linux/net/ipv4/netfilter/ipt_mac.c.original Sat Oct 21 14:01:33 2000
+++ linux/net/ipv4/netfilter/ipt_mac.c Sat Oct 21 14:03:07 2000
@@ -20,7 +20,7 @@
/* Is mac pointer valid? */
return (skb->mac.raw >= skb->head
- && skb->mac.raw < skb->head + skb->len - ETH_HLEN
+ && skb->mac.raw + ETH_HLEN <= skb->tail
/* If so, compare... */
&& ((memcmp(skb->mac.ethernet->h_source, info->srcaddr,
ETH_ALEN)
== 0) ^ info->invert));
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Mon Oct 23 2000 - 21:00:18 EST