Skip to content

Commit

Permalink
netfilter: nf_reject_ipv4: don't send tcp RST if the packet is non-TCP
Browse files Browse the repository at this point in the history 
In iptables, if the user add a rule to send tcp RST and specify the
non-TCP protocol, such as UDP, kernel will reject this request. But
in nftables, this validity check only occurs in nft tool, i.e. only
in userspace.

This means that user can add such a rule like follows via nfnetlink:
  "nft add rule filter forward ip protocol udp reject with tcp reset"

This will generate some confusing tcp RST packets. So we should send
tcp RST only when it is TCP packet.

Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  • Loading branch information
Liping Zhang authored and Pablo Neira Ayuso committed Jun 24, 2016
1 parent 9847371 commit e1dbbc5
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions net/ipv4/netfilter/nf_reject_ipv4.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,9 @@ const struct tcphdr *nf_reject_ip_tcphdr_get(struct sk_buff *oldskb,
if (ip_hdr(oldskb)->frag_off & htons(IP_OFFSET))
return NULL;

if (ip_hdr(oldskb)->protocol != IPPROTO_TCP)
return NULL;

oth = skb_header_pointer(oldskb, ip_hdrlen(oldskb),
sizeof(struct tcphdr), _oth);
if (oth == NULL)
Expand Down

0 comments on commit e1dbbc5

Please sign in to comment.