diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2021-06-11 19:26:56 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2021-06-16 20:51:51 +0200 |
commit | 52f0f4e178c757b3d356087376aad8bd77271828 (patch) | |
tree | 43b36c5472c17a632f0aa80e3c916b64ece32d03 /net/netfilter | |
parent | 8f518d43f89ae00b9cf5460e10b91694944ca1a8 (diff) | |
download | linux-stable-52f0f4e178c757b3d356087376aad8bd77271828.tar.gz linux-stable-52f0f4e178c757b3d356087376aad8bd77271828.tar.bz2 linux-stable-52f0f4e178c757b3d356087376aad8bd77271828.zip |
netfilter: nft_tproxy: restrict support to TCP and UDP transport protocols
Add unfront check for TCP and UDP packets before performing further
processing.
Fixes: 4ed8eb6570a4 ("netfilter: nf_tables: Add native tproxy support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/netfilter')
-rw-r--r-- | net/netfilter/nft_tproxy.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/net/netfilter/nft_tproxy.c b/net/netfilter/nft_tproxy.c index accef672088c..5cb4d575d47f 100644 --- a/net/netfilter/nft_tproxy.c +++ b/net/netfilter/nft_tproxy.c @@ -30,6 +30,12 @@ static void nft_tproxy_eval_v4(const struct nft_expr *expr, __be16 tport = 0; struct sock *sk; + if (pkt->tprot != IPPROTO_TCP && + pkt->tprot != IPPROTO_UDP) { + regs->verdict.code = NFT_BREAK; + return; + } + hp = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_hdr), &_hdr); if (!hp) { regs->verdict.code = NFT_BREAK; @@ -91,7 +97,8 @@ static void nft_tproxy_eval_v6(const struct nft_expr *expr, memset(&taddr, 0, sizeof(taddr)); - if (!pkt->tprot_set) { + if (pkt->tprot != IPPROTO_TCP && + pkt->tprot != IPPROTO_UDP) { regs->verdict.code = NFT_BREAK; return; } |