netfilter: ip6t_REJECT: check for IP6T_F_PROTO
Make sure IP6T_F_PROTO is set to enforce layer 4 protocol matching from the ip6_tables core. Suggested-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
parent
55df35d22f
commit
e35158e401
1 changed files with 2 additions and 1 deletions
|
@ -83,7 +83,8 @@ static int reject_tg6_check(const struct xt_tgchk_param *par)
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
} else if (rejinfo->with == IP6T_TCP_RESET) {
|
} else if (rejinfo->with == IP6T_TCP_RESET) {
|
||||||
/* Must specify that it's a TCP packet */
|
/* Must specify that it's a TCP packet */
|
||||||
if (e->ipv6.proto != IPPROTO_TCP ||
|
if (!(e->ipv6.flags & IP6T_F_PROTO) ||
|
||||||
|
e->ipv6.proto != IPPROTO_TCP ||
|
||||||
(e->ipv6.invflags & XT_INV_PROTO)) {
|
(e->ipv6.invflags & XT_INV_PROTO)) {
|
||||||
pr_info("TCP_RESET illegal for non-tcp\n");
|
pr_info("TCP_RESET illegal for non-tcp\n");
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
|
|
Loading…
Add table
Reference in a new issue