From: Pablo Neira Ayuso Date: Sat, 21 Mar 2015 19:20:23 +0000 (+0100) Subject: netfilter: ip6t_REJECT: check for IP6T_F_PROTO X-Git-Tag: firefly_0821_release~176^2~1974^2~165^2 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=e35158e40110270600698f19bda5e21d8ce709d7;p=firefly-linux-kernel-4.4.55.git netfilter: ip6t_REJECT: check for IP6T_F_PROTO Make sure IP6T_F_PROTO is set to enforce layer 4 protocol matching from the ip6_tables core. Suggested-by: Patrick McHardy Signed-off-by: Pablo Neira Ayuso --- diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c index 544b0a9da1b5..12331efd49cf 100644 --- a/net/ipv6/netfilter/ip6t_REJECT.c +++ b/net/ipv6/netfilter/ip6t_REJECT.c @@ -83,7 +83,8 @@ static int reject_tg6_check(const struct xt_tgchk_param *par) return -EINVAL; } else if (rejinfo->with == IP6T_TCP_RESET) { /* Must specify that it's a TCP packet */ - if (e->ipv6.proto != IPPROTO_TCP || + if (!(e->ipv6.flags & IP6T_F_PROTO) || + e->ipv6.proto != IPPROTO_TCP || (e->ipv6.invflags & XT_INV_PROTO)) { pr_info("TCP_RESET illegal for non-tcp\n"); return -EINVAL;