Skip to content

Commit e35158e

Browse files
ummakynesummakynes
committed
netfilter: ip6t_REJECT: check for IP6T_F_PROTO
Make sure IP6T_F_PROTO is set to enforce layer 4 protocol matching from the ip6_tables core. Suggested-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
1 parent 55df35d commit e35158e

File tree

1 file changed

+2
-1
lines changed

1 file changed

+2
-1
lines changed

net/ipv6/netfilter/ip6t_REJECT.c

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -83,7 +83,8 @@ static int reject_tg6_check(const struct xt_tgchk_param *par)
8383
return -EINVAL;
8484
} else if (rejinfo->with == IP6T_TCP_RESET) {
8585
/* Must specify that it's a TCP packet */
86-
if (e->ipv6.proto != IPPROTO_TCP ||
86+
if (!(e->ipv6.flags & IP6T_F_PROTO) ||
87+
e->ipv6.proto != IPPROTO_TCP ||
8788
(e->ipv6.invflags & XT_INV_PROTO)) {
8889
pr_info("TCP_RESET illegal for non-tcp\n");
8990
return -EINVAL;

0 commit comments

Comments
 (0)