From: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Date: Thu, 7 Nov 2013 08:14:37 +0000 (+0200)
Subject: xtables: arp: inhibit -l option so only a fixed 6 bytes length arhln can be used
X-Git-Tag: v1.6.0~111^2~24
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b31304a8d88e5d3b4235ac693f56f8a9ca238c32;p=thirdparty%2Fiptables.git

xtables: arp: inhibit -l option so only a fixed 6 bytes length arhln can be used

This is a temporary workaround mechanism until variable interface
hardware address length can be handled through nftables. This
defaults on the length of EUI-64 mac address, which should be the
most common usage until this is appropriately fixed for all type
of layer 2 addresses.

Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

diff --git a/iptables/xtables-arp.c b/iptables/xtables-arp.c
index 046ae41d..298801b3 100644
--- a/iptables/xtables-arp.c
+++ b/iptables/xtables-arp.c
@@ -1145,6 +1145,13 @@ int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table)
 				   invert);
 			getlength_and_mask(argv[optind - 1], &fw.arp.arhln,
 					   &fw.arp.arhln_mask);
+
+			if (fw.arp.arhln != 6) {
+				xtables_error(PARAMETER_PROBLEM,
+					      "Only harware address length of"
+					      " 6 is supported currently.");
+			}
+
 			break;
 
 		case 8:/* protocol length */