On Thursday 2024-10-03 20:30, Florian Westphal wrote:
>
>Module registers to NFPROTO_UNSPEC, but it assumes ipv4/ipv6 packet
>processing. As this is only useful to restrict locally terminating
>TCP/UDP traffic, reject non-ip families at rule load time.
>
>@@ -124,6 +124,14 @@ static int xt_cluster_mt_checkentry(const struct xt_mtchk_param *par)
> struct xt_cluster_match_info *info = par->matchinfo;
> int ret;
>
>+ switch (par->family) {
>+ case NFPROTO_IPV4:
>+ case NFPROTO_IPV6:
>+ break;
>+ default:
>+ return -EAFNOSUPPORT;
>+ }
I wonder if we could just implement the logic for it.
Like this patch [untested!]:
