Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 58d5a025 authored by Patrick McHardy's avatar Patrick McHardy
Browse files

netfilter: ipt_ecn: fix protocol check in ecn_mt_check() 



Check for protocol inversion in ecn_mt_check() and remove the
unnecessary runtime check for IPPROTO_TCP in ecn_mt().

Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
parent 63f6fe92

net/ipv4/netfilter/ipt_ecn.c

+1 −3
Original line number Diff line number Diff line
@@ -76,8 +76,6 @@ static bool ecn_mt(const struct sk_buff *skb, struct xt_action_param *par) 
			return false;



	if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR)) {

		if (ip_hdr(skb)->protocol != IPPROTO_TCP)

			return false;

		if (!match_tcp(skb, info, &par->hotdrop))

			return false;

	}
@@ -97,7 +95,7 @@ static int ecn_mt_check(const struct xt_mtchk_param *par) 
		return -EINVAL;



	if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR) &&

	    ip->proto != IPPROTO_TCP) {

	    (ip->proto != IPPROTO_TCP || ip->invflags & IPT_INV_PROTO)) {

		pr_info("cannot match TCP bits in rule for non-tcp packets\n");

		return -EINVAL;

	}