netfilter: ip6t_REJECT: check for IP6T_F_PROTO

Make sure IP6T_F_PROTO is set to enforce layer 4 protocol matching from the ip6_tables core. Suggested-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2015-03-21 19:20:23 (GMT)
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2015-03-22 19:02:46 (GMT)
commit: e35158e40110270600698f19bda5e21d8ce709d7 (patch)
tree: f647926624f1a12465f1da8fff55689032a62a35
parent: 55df35d22fe3433032d82b8c67dfd283cb071953 (diff)
download: linux-e35158e40110270600698f19bda5e21d8ce709d7.tar.xz
1 files changed, 2 insertions, 1 deletions
diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c
index 544b0a9..12331ef 100644
--- a/net/ipv6/netfilter/ip6t_REJECT.c
+++ b/net/ipv6/netfilter/ip6t_REJECT.c
@@ -83,7 +83,8 @@ static int reject_tg6_check(const struct xt_tgchk_param *par)
 		return -EINVAL;
 	} else if (rejinfo->with == IP6T_TCP_RESET) {
 		/* Must specify that it's a TCP packet */
-		if (e->ipv6.proto != IPPROTO_TCP ||
+		if (!(e->ipv6.flags & IP6T_F_PROTO) ||
+		    e->ipv6.proto != IPPROTO_TCP ||
 		    (e->ipv6.invflags & XT_INV_PROTO)) {
 			pr_info("TCP_RESET illegal for non-tcp\n");
 			return -EINVAL;
author	Pablo Neira Ayuso <pablo@netfilter.org>	2015-03-21 19:20:23 (GMT)
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2015-03-22 19:02:46 (GMT)
commit	e35158e40110270600698f19bda5e21d8ce709d7 (patch)
tree	f647926624f1a12465f1da8fff55689032a62a35
parent	55df35d22fe3433032d82b8c67dfd283cb071953 (diff)
download	linux-e35158e40110270600698f19bda5e21d8ce709d7.tar.xz