[PATCH] Netfilter MAC address filtering in the FORWARD chain

From: Berend Ozceri (berend@cisco.com)
Date: Sat Oct 21 2000 - 16:31:08 EST


I think the following patch makes MAC address filtering work better in
the FORWARD chain. The problem in the original code is that it uses
skb->len in determining whether or not the packet being filtered has
enough bytes to contain a MAC address, but that field is not necessarily
valid when the filtering code gets called in the FORWARD chain. Using
just skb->head and skb->tail in the bounds checking avoids that problem.

Berend

diff -u linux/net/ipv4/netfilter/ipt_mac.c{.original,}
--- linux/net/ipv4/netfilter/ipt_mac.c.original Sat Oct 21 14:01:33 2000

+++ linux/net/ipv4/netfilter/ipt_mac.c Sat Oct 21 14:03:07 2000
@@ -20,7 +20,7 @@

     /* Is mac pointer valid? */
     return (skb->mac.raw >= skb->head
- && skb->mac.raw < skb->head + skb->len - ETH_HLEN
+ && skb->mac.raw + ETH_HLEN <= skb->tail
            /* If so, compare... */
            && ((memcmp(skb->mac.ethernet->h_source, info->srcaddr,
ETH_ALEN)
                == 0) ^ info->invert));

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/



This archive was generated by hypermail 2b29 : Mon Oct 23 2000 - 21:00:18 EST