libip6t_frag: match any frag id by default

If no --fragid option is given, the frag extension only matches
fragments with a zero-valued "Identification" field. This behavior
deviates from what other extensions do (they match all values in this
case) and is unexpected, and therefore changed by this patch.

Additionally, --fragid 0:4294967295 leads to no output on `iptables
-S` because part of the code thinks that this would be the default,
when it is not.

So, default to match all frag values, such that iptables -S not
outputting anything also becomes correct.

Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: Jan Engelhardt <jengelh@inai.de>

diff --git a/extensions/libip6t_frag.c b/extensions/libip6t_frag.c
index d8bcaeee2daca261add9838fbd362fc7fe45845d..023df627ddad2c367f30ff7e04e4779682a629a9 100644 (file)
--- a/extensions/libip6t_frag.c
+++ b/extensions/libip6t_frag.c
@@ -41,6 +41,13 @@ static const struct xt_option_entry frag_opts[] = {
 };
 #undef s
 
+static void frag_init(struct xt_entry_match *m)
+{
+       struct ip6t_frag *fraginfo = (void *)m->data;
+
+       fraginfo->ids[1] = ~0U;
+}
+
 static void frag_parse(struct xt_option_call *cb)
 {
        struct ip6t_frag *fraginfo = cb->data;
@@ -173,6 +180,7 @@ static struct xtables_match frag_mt6_reg = {
        .size          = XT_ALIGN(sizeof(struct ip6t_frag)),
        .userspacesize = XT_ALIGN(sizeof(struct ip6t_frag)),
        .help          = frag_help,
+       .init          = frag_init,
        .print         = frag_print,
        .save          = frag_save,
        .x6_parse      = frag_parse,