mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-09-13 22:25:03 +00:00
netfilter: nft_tproxy: restrict support to TCP and UDP transport protocols
[ Upstream commit52f0f4e178
] Add unfront check for TCP and UDP packets before performing further processing. Fixes:4ed8eb6570
("netfilter: nf_tables: Add native tproxy support") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
This commit is contained in:
parent
a3f1e8e316
commit
da4ad14f87
1 changed files with 8 additions and 1 deletions
|
@ -30,6 +30,12 @@ static void nft_tproxy_eval_v4(const struct nft_expr *expr,
|
|||
__be16 tport = 0;
|
||||
struct sock *sk;
|
||||
|
||||
if (pkt->tprot != IPPROTO_TCP &&
|
||||
pkt->tprot != IPPROTO_UDP) {
|
||||
regs->verdict.code = NFT_BREAK;
|
||||
return;
|
||||
}
|
||||
|
||||
hp = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_hdr), &_hdr);
|
||||
if (!hp) {
|
||||
regs->verdict.code = NFT_BREAK;
|
||||
|
@ -91,7 +97,8 @@ static void nft_tproxy_eval_v6(const struct nft_expr *expr,
|
|||
|
||||
memset(&taddr, 0, sizeof(taddr));
|
||||
|
||||
if (!pkt->tprot_set) {
|
||||
if (pkt->tprot != IPPROTO_TCP &&
|
||||
pkt->tprot != IPPROTO_UDP) {
|
||||
regs->verdict.code = NFT_BREAK;
|
||||
return;
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue