Commit 52f0f4e1 authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso
Browse files

netfilter: nft_tproxy: restrict support to TCP and UDP transport protocols 



Add unfront check for TCP and UDP packets before performing further
processing.

Fixes: 4ed8eb65 ("netfilter: nf_tables: Add native tproxy support")
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 8f518d43

net/netfilter/nft_tproxy.c

+8 −1
Original line number Diff line number Diff line
@@ -30,6 +30,12 @@ static void nft_tproxy_eval_v4(const struct nft_expr *expr, 
	__be16 tport = 0;

	struct sock *sk;



	if (pkt->tprot != IPPROTO_TCP &&

	    pkt->tprot != IPPROTO_UDP) {

		regs->verdict.code = NFT_BREAK;

		return;

	}



	hp = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_hdr), &_hdr);

	if (!hp) {

		regs->verdict.code = NFT_BREAK;
@@ -91,7 +97,8 @@ static void nft_tproxy_eval_v6(const struct nft_expr *expr, 


	memset(&taddr, 0, sizeof(taddr));



	if (!pkt->tprot_set) {

	if (pkt->tprot != IPPROTO_TCP &&

	    pkt->tprot != IPPROTO_UDP) {

		regs->verdict.code = NFT_BREAK;

		return;

	}