diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2021-06-11 20:26:56 +0300 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2021-07-20 17:15:50 +0300 |
commit | 6b97694d0a76c7b5f5e374dab2a3b1ef54899dc7 (patch) | |
tree | e8f79403d44a063da58538975aca8bc76bda58be | |
parent | 3225cd78880a15928f8930e3de698a6edca63f42 (diff) | |
download | linux-6b97694d0a76c7b5f5e374dab2a3b1ef54899dc7.tar.xz |
netfilter: nft_tproxy: restrict support to TCP and UDP transport protocols
[ Upstream commit 52f0f4e178c757b3d356087376aad8bd77271828 ]
Add unfront check for TCP and UDP packets before performing further
processing.
Fixes: 4ed8eb6570a4 ("netfilter: nf_tables: Add native tproxy support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
-rw-r--r-- | net/netfilter/nft_tproxy.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/net/netfilter/nft_tproxy.c b/net/netfilter/nft_tproxy.c index 95980154ef02..b97ab1198b03 100644 --- a/net/netfilter/nft_tproxy.c +++ b/net/netfilter/nft_tproxy.c @@ -30,6 +30,12 @@ static void nft_tproxy_eval_v4(const struct nft_expr *expr, __be16 tport = 0; struct sock *sk; + if (pkt->tprot != IPPROTO_TCP && + pkt->tprot != IPPROTO_UDP) { + regs->verdict.code = NFT_BREAK; + return; + } + hp = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_hdr), &_hdr); if (!hp) { regs->verdict.code = NFT_BREAK; @@ -91,7 +97,8 @@ static void nft_tproxy_eval_v6(const struct nft_expr *expr, memset(&taddr, 0, sizeof(taddr)); - if (!pkt->tprot_set) { + if (pkt->tprot != IPPROTO_TCP && + pkt->tprot != IPPROTO_UDP) { regs->verdict.code = NFT_BREAK; return; } |