diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2015-03-21 22:20:23 +0300 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2015-03-22 22:02:46 +0300 |
commit | e35158e40110270600698f19bda5e21d8ce709d7 (patch) | |
tree | f647926624f1a12465f1da8fff55689032a62a35 /net/ipv6 | |
parent | 55df35d22fe3433032d82b8c67dfd283cb071953 (diff) | |
download | linux-e35158e40110270600698f19bda5e21d8ce709d7.tar.xz |
netfilter: ip6t_REJECT: check for IP6T_F_PROTO
Make sure IP6T_F_PROTO is set to enforce layer 4 protocol matching from
the ip6_tables core.
Suggested-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/ipv6')
-rw-r--r-- | net/ipv6/netfilter/ip6t_REJECT.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c index 544b0a9da1b5..12331efd49cf 100644 --- a/net/ipv6/netfilter/ip6t_REJECT.c +++ b/net/ipv6/netfilter/ip6t_REJECT.c @@ -83,7 +83,8 @@ static int reject_tg6_check(const struct xt_tgchk_param *par) return -EINVAL; } else if (rejinfo->with == IP6T_TCP_RESET) { /* Must specify that it's a TCP packet */ - if (e->ipv6.proto != IPPROTO_TCP || + if (!(e->ipv6.flags & IP6T_F_PROTO) || + e->ipv6.proto != IPPROTO_TCP || (e->ipv6.invflags & XT_INV_PROTO)) { pr_info("TCP_RESET illegal for non-tcp\n"); return -EINVAL; |