Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp2829010pxv; Mon, 12 Jul 2021 02:59:05 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwc/CCR9o0yGfDNJfuED9h6G7546Zdst5DYB3V8bpWg1tZwUIYzGnZG9Ibf7uOFGw6WOA31 X-Received: by 2002:a92:d303:: with SMTP id x3mr779117ila.212.1626083945599; Mon, 12 Jul 2021 02:59:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626083945; cv=none; d=google.com; s=arc-20160816; b=GBty5VF3U8zJdR10cUdBnE7l2aTed/zZruGY+s6sqxeJCGOwqUCT3yNXUwjspSIxl7 p4xwY1vlhbwtGVGqF4Mkr7tRKUZAon2FMlq2ymP1lTV38cPmdn8p+lN63AvPFv6SpL3V //3X81WdBsWS+2cKhZq8upcyJn4NiyWr3AEzoSKrNYAYpEBUmbEPvwer4A/Am9xNY6m5 /fWd1vAyqDgKVI2GxqceO/mckPQbnXyqs1/nqUigVGHXinWXE8tlm5H/4XHrB1yI7KgN 9vrCzwraYOi9pDHVIPUDJ4v0YgEUGroWHtM7WXNmN3dngvsAVOFGwdLPTJaUm08OlxCE ZSgg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=CgYdffjGJ3UcOl1dbXkGbGvQ/E7i97ImJ1lm6OV5uy0=; b=f8q13NNJmY4Lj453a08IRgVchef+hB3Xn9fRChiF/ZJdEVYnrZZy3tTUG6Q35zxvV4 5m9wuZmEJqyBI7eIgmYG50Gh5paQ+F7+vZvLTV1Oxvcanm6VGZoZv4Ck/6f0hV2Ug3/P S3IIFKNk7P8R9uFDtdNlbcxYETEPUOoc3BXHyT9oOMwB/gqjlAmDXhO7F66ZY58FgLD6 NQDBHM4+ArZQA8KVZ1NMeYLKrszoKq75cnwxqT+L4cLQhuwT4NHzrqaoPKaZ4MaVUH6A UxtIRsKhpahPWppyy2m7V+v7gd1d1/pQPQ2Lr0CV96Zh5+I5bizfYooDpPFpHvyr/XuQ 4R9Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=gr97eC+x; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id s13si19124561jaj.54.2021.07.12.02.58.54; Mon, 12 Jul 2021 02:59:05 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=gr97eC+x; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240383AbhGLHDY (ORCPT + 99 others); Mon, 12 Jul 2021 03:03:24 -0400 Received: from mail.kernel.org ([198.145.29.99]:41510 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237308AbhGLGqJ (ORCPT ); Mon, 12 Jul 2021 02:46:09 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 47698601FC; Mon, 12 Jul 2021 06:41:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1626072111; bh=zahtD687+Ll74wZJeYeEIZFDsSwTvuxbIqfd9NQdSDo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=gr97eC+x7a5/HbxlgXJ46i+d/N+FNgIZEr6sO7f+eA1B/q40ZqWgW8ZrG9GNCxyOh fk9nKdoH2C4zqtGOnv9iqFySywcs8Mja1ai5yu0EOAM6d8xy/T7HlaX9S8m1thEYUM yu1Ek+5ZeQG+wpMGaMetdwWKltsxZsG/R0jGWi54= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Pablo Neira Ayuso , Sasha Levin Subject: [PATCH 5.10 359/593] netfilter: nft_tproxy: restrict support to TCP and UDP transport protocols Date: Mon, 12 Jul 2021 08:08:39 +0200 Message-Id: <20210712060925.931661269@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210712060843.180606720@linuxfoundation.org> References: <20210712060843.180606720@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Pablo Neira Ayuso [ Upstream commit 52f0f4e178c757b3d356087376aad8bd77271828 ] Add unfront check for TCP and UDP packets before performing further processing. Fixes: 4ed8eb6570a4 ("netfilter: nf_tables: Add native tproxy support") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin --- net/netfilter/nft_tproxy.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nft_tproxy.c b/net/netfilter/nft_tproxy.c index d67f83a0958d..242222dc52c3 100644 --- a/net/netfilter/nft_tproxy.c +++ b/net/netfilter/nft_tproxy.c @@ -30,6 +30,12 @@ static void nft_tproxy_eval_v4(const struct nft_expr *expr, __be16 tport = 0; struct sock *sk; + if (pkt->tprot != IPPROTO_TCP && + pkt->tprot != IPPROTO_UDP) { + regs->verdict.code = NFT_BREAK; + return; + } + hp = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_hdr), &_hdr); if (!hp) { regs->verdict.code = NFT_BREAK; @@ -91,7 +97,8 @@ static void nft_tproxy_eval_v6(const struct nft_expr *expr, memset(&taddr, 0, sizeof(taddr)); - if (!pkt->tprot_set) { + if (pkt->tprot != IPPROTO_TCP && + pkt->tprot != IPPROTO_UDP) { regs->verdict.code = NFT_BREAK; return; } -- 2.30.2