netfilter: ip6t_REJECT: check for IP6T_F_PROTO



Make sure IP6T_F_PROTO is set to enforce layer 4 protocol matching from
the ip6_tables core.

Suggested-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

parent 55df35d2

net/ipv6/netfilter/ip6t_REJECT.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -83,7 +83,8 @@ static int reject_tg6_check(const struct xt_tgchk_param *par)
		return -EINVAL;
		} else if (rejinfo->with == IP6T_TCP_RESET) {
		/* Must specify that it's a TCP packet */
		if (e->ipv6.proto != IPPROTO_TCP \|\|
		if (!(e->ipv6.flags & IP6T_F_PROTO) \|\|
		e->ipv6.proto != IPPROTO_TCP \|\|
		(e->ipv6.invflags & XT_INV_PROTO)) {
		pr_info("TCP_RESET illegal for non-tcp\n");
		return -EINVAL;