On 21.03, Pablo Neira Ayuso wrote:
> Make sure IP6T_F_PROTO is set to enforce layer 4 protocol matching from
> the ip6_tables core.
>
> Suggested-by: Patrick McHardy <kaber@xxxxxxxxx>
> Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
Looks good, thanks!
> ---
> net/ipv6/netfilter/ip6t_REJECT.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c
> index 544b0a9..12331ef 100644
> --- a/net/ipv6/netfilter/ip6t_REJECT.c
> +++ b/net/ipv6/netfilter/ip6t_REJECT.c
> @@ -83,7 +83,8 @@ static int reject_tg6_check(const struct xt_tgchk_param *par)
> return -EINVAL;
> } else if (rejinfo->with == IP6T_TCP_RESET) {
> /* Must specify that it's a TCP packet */
> - if (e->ipv6.proto != IPPROTO_TCP ||
> + if (!(e->ipv6.flags & IP6T_F_PROTO) ||
> + e->ipv6.proto != IPPROTO_TCP ||
> (e->ipv6.invflags & XT_INV_PROTO)) {
> pr_info("TCP_RESET illegal for non-tcp\n");
> return -EINVAL;
> --
> 1.7.10.4
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
