| From a9420b71d63bd4af750d6a102f52c29c9d6a79f8 Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Fri, 11 Jun 2021 19:26:56 +0200 |
| Subject: netfilter: nft_tproxy: restrict support to TCP and UDP transport |
| protocols |
| |
| From: Pablo Neira Ayuso <pablo@netfilter.org> |
| |
| [ Upstream commit 52f0f4e178c757b3d356087376aad8bd77271828 ] |
| |
| Add unfront check for TCP and UDP packets before performing further |
| processing. |
| |
| Fixes: 4ed8eb6570a4 ("netfilter: nf_tables: Add native tproxy support") |
| Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| net/netfilter/nft_tproxy.c | 9 ++++++++- |
| 1 file changed, 8 insertions(+), 1 deletion(-) |
| |
| diff --git a/net/netfilter/nft_tproxy.c b/net/netfilter/nft_tproxy.c |
| index d67f83a0958d..242222dc52c3 100644 |
| --- a/net/netfilter/nft_tproxy.c |
| +++ b/net/netfilter/nft_tproxy.c |
| @@ -30,6 +30,12 @@ static void nft_tproxy_eval_v4(const struct nft_expr *expr, |
| __be16 tport = 0; |
| struct sock *sk; |
| |
| + if (pkt->tprot != IPPROTO_TCP && |
| + pkt->tprot != IPPROTO_UDP) { |
| + regs->verdict.code = NFT_BREAK; |
| + return; |
| + } |
| + |
| hp = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_hdr), &_hdr); |
| if (!hp) { |
| regs->verdict.code = NFT_BREAK; |
| @@ -91,7 +97,8 @@ static void nft_tproxy_eval_v6(const struct nft_expr *expr, |
| |
| memset(&taddr, 0, sizeof(taddr)); |
| |
| - if (!pkt->tprot_set) { |
| + if (pkt->tprot != IPPROTO_TCP && |
| + pkt->tprot != IPPROTO_UDP) { |
| regs->verdict.code = NFT_BREAK; |
| return; |
| } |
| -- |
| 2.30.2 |
| |