xtables: arp: inhibit -l option so only a fixed 6 bytes length arhln can be used

This is a temporary workaround mechanism until variable interface
hardware address length can be handled through nftables. This
defaults on the length of EUI-64 mac address, which should be the
most common usage until this is appropriately fixed for all type
of layer 2 addresses.

Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/iptables/xtables-arp.c b/iptables/xtables-arp.c
index 046ae41d48bf2e252a47fff074b9365e5f68db8a..298801b393ef6124960cb7afbb46377a626f629c 100644 (file)
--- a/iptables/xtables-arp.c
+++ b/iptables/xtables-arp.c
@@ -1145,6 +1145,13 @@ int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table)
                                   invert);
                        getlength_and_mask(argv[optind - 1], &fw.arp.arhln,
                                           &fw.arp.arhln_mask);
+
+                       if (fw.arp.arhln != 6) {
+                               xtables_error(PARAMETER_PROBLEM,
+                                             "Only harware address length of"
+                                             " 6 is supported currently.");
+                       }
+
                        break;
 
                case 8:/* protocol length */