[nf-next] netfilter: ip6t_REJECT: check for IP6T_F_PROTO

Message ID	1426966210-13583-1-git-send-email-pablo@netfilter.org
State	Accepted
Delegated to:	Pablo Neira
Headers	show Return-Path: <netfilter-devel-owner@vger.kernel.org> spamassassin: 3.4.0. Clear:RC:1(127.0.0.1):SA:0(-103.2/7.5):. Processed in 3.936072 secs); 21 Mar 2015 19:26:20 -0000 From: Pablo Neira Ayuso <pablo@netfilter.org> To: netfilter-devel@vger.kernel.org Cc: kaber@trash.net Subject: [PATCH nf-next] netfilter: ip6t_REJECT: check for IP6T_F_PROTO Date: Sat, 21 Mar 2015 20:30:10 +0100 Message-Id: <1426966210-13583-1-git-send-email-pablo@netfilter.org> Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk

Message ID

1426966210-13583-1-git-send-email-pablo@netfilter.org

State

Accepted

Delegated to:

Pablo Neira

Headers

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: kaber@trash.net
Subject: [PATCH nf-next] netfilter: ip6t_REJECT: check for IP6T_F_PROTO
Date: Sat, 21 Mar 2015 20:30:10 +0100
Message-Id: <1426966210-13583-1-git-send-email-pablo@netfilter.org>
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk

Commit Message

Pablo Neira Ayuso March 21, 2015, 7:30 p.m. UTC

Make sure IP6T_F_PROTO is set to enforce layer 4 protocol matching from
the ip6_tables core.

Suggested-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/ipv6/netfilter/ip6t_REJECT.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

Patrick McHardy March 21, 2015, 7:38 p.m. UTC | #1

On 21.03, Pablo Neira Ayuso wrote:
> Make sure IP6T_F_PROTO is set to enforce layer 4 protocol matching from
> the ip6_tables core.
> 
> Suggested-by: Patrick McHardy <kaber@trash.net>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Looks good, thanks!

> ---
>  net/ipv6/netfilter/ip6t_REJECT.c |    3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c
> index 544b0a9..12331ef 100644
> --- a/net/ipv6/netfilter/ip6t_REJECT.c
> +++ b/net/ipv6/netfilter/ip6t_REJECT.c
> @@ -83,7 +83,8 @@ static int reject_tg6_check(const struct xt_tgchk_param *par)
>  		return -EINVAL;
>  	} else if (rejinfo->with == IP6T_TCP_RESET) {
>  		/* Must specify that it's a TCP packet */
> -		if (e->ipv6.proto != IPPROTO_TCP ||
> +		if (!(e->ipv6.flags & IP6T_F_PROTO) ||
> +		    e->ipv6.proto != IPPROTO_TCP ||
>  		    (e->ipv6.invflags & XT_INV_PROTO)) {
>  			pr_info("TCP_RESET illegal for non-tcp\n");
>  			return -EINVAL;
> -- 
> 1.7.10.4
> 
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c
index 544b0a9..12331ef 100644
--- a/net/ipv6/netfilter/ip6t_REJECT.c
+++ b/net/ipv6/netfilter/ip6t_REJECT.c
@@ -83,7 +83,8 @@  static int reject_tg6_check(const struct xt_tgchk_param *par)
 		return -EINVAL;
 	} else if (rejinfo->with == IP6T_TCP_RESET) {
 		/* Must specify that it's a TCP packet */
-		if (e->ipv6.proto != IPPROTO_TCP ||
+		if (!(e->ipv6.flags & IP6T_F_PROTO) ||
+		    e->ipv6.proto != IPPROTO_TCP ||
 		    (e->ipv6.invflags & XT_INV_PROTO)) {
 			pr_info("TCP_RESET illegal for non-tcp\n");
 			return -EINVAL;

[nf-next] netfilter: ip6t_REJECT: check for IP6T_F_PROTO

Commit Message

Comments

Patch