summaryrefslogtreecommitdiffstats
path: root/net/netfilter
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2021-06-11 19:26:56 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2021-06-16 20:51:51 +0200
commit52f0f4e178c757b3d356087376aad8bd77271828 (patch)
tree43b36c5472c17a632f0aa80e3c916b64ece32d03 /net/netfilter
parent8f518d43f89ae00b9cf5460e10b91694944ca1a8 (diff)
downloadlinux-stable-52f0f4e178c757b3d356087376aad8bd77271828.tar.gz
linux-stable-52f0f4e178c757b3d356087376aad8bd77271828.tar.bz2
linux-stable-52f0f4e178c757b3d356087376aad8bd77271828.zip
netfilter: nft_tproxy: restrict support to TCP and UDP transport protocols
Add unfront check for TCP and UDP packets before performing further processing. Fixes: 4ed8eb6570a4 ("netfilter: nf_tables: Add native tproxy support") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/netfilter')
-rw-r--r--net/netfilter/nft_tproxy.c9
1 files changed, 8 insertions, 1 deletions
diff --git a/net/netfilter/nft_tproxy.c b/net/netfilter/nft_tproxy.c
index accef672088c..5cb4d575d47f 100644
--- a/net/netfilter/nft_tproxy.c
+++ b/net/netfilter/nft_tproxy.c
@@ -30,6 +30,12 @@ static void nft_tproxy_eval_v4(const struct nft_expr *expr,
__be16 tport = 0;
struct sock *sk;
+ if (pkt->tprot != IPPROTO_TCP &&
+ pkt->tprot != IPPROTO_UDP) {
+ regs->verdict.code = NFT_BREAK;
+ return;
+ }
+
hp = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_hdr), &_hdr);
if (!hp) {
regs->verdict.code = NFT_BREAK;
@@ -91,7 +97,8 @@ static void nft_tproxy_eval_v6(const struct nft_expr *expr,
memset(&taddr, 0, sizeof(taddr));
- if (!pkt->tprot_set) {
+ if (pkt->tprot != IPPROTO_TCP &&
+ pkt->tprot != IPPROTO_UDP) {
regs->verdict.code = NFT_BREAK;
return;
}