summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPatrick McHardy <kaber@trash.net>2011-06-16 17:24:17 +0200
committerPatrick McHardy <kaber@trash.net>2011-06-16 17:24:17 +0200
commit58d5a0257d2fd89fbe4451f704193cc95b0a9c97 (patch)
tree63ed637719b75c9b3476c360ef14662df3703a75
parent63f6fe92c6b3cbf4c0bbbea4b31fdd3d68e21e4d (diff)
netfilter: ipt_ecn: fix protocol check in ecn_mt_check()
Check for protocol inversion in ecn_mt_check() and remove the unnecessary runtime check for IPPROTO_TCP in ecn_mt(). Signed-off-by: Patrick McHardy <kaber@trash.net>
-rw-r--r--net/ipv4/netfilter/ipt_ecn.c4
1 files changed, 1 insertions, 3 deletions
diff --git a/net/ipv4/netfilter/ipt_ecn.c b/net/ipv4/netfilter/ipt_ecn.c
index af6e9c77834..aaa85be1b2d 100644
--- a/net/ipv4/netfilter/ipt_ecn.c
+++ b/net/ipv4/netfilter/ipt_ecn.c
@@ -76,8 +76,6 @@ static bool ecn_mt(const struct sk_buff *skb, struct xt_action_param *par)
return false;
if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR)) {
- if (ip_hdr(skb)->protocol != IPPROTO_TCP)
- return false;
if (!match_tcp(skb, info, &par->hotdrop))
return false;
}
@@ -97,7 +95,7 @@ static int ecn_mt_check(const struct xt_mtchk_param *par)
return -EINVAL;
if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR) &&
- ip->proto != IPPROTO_TCP) {
+ (ip->proto != IPPROTO_TCP || ip->invflags & IPT_INV_PROTO)) {
pr_info("cannot match TCP bits in rule for non-tcp packets\n");
return -EINVAL;
}