]> git.ipfire.org Git - thirdparty/iptables.git/commitdiff
projects / thirdparty / iptables.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ec86937)
nft: Reject tcp/udp extension without proper protocol match
authorPhil Sutter <phil@nwl.cc>
Thu, 22 Dec 2022 14:58:27 +0000 (15:58 +0100)
committerPhil Sutter <phil@nwl.cc>
Thu, 22 Dec 2022 15:43:58 +0000 (16:43 +0100)
Internally, 'th' expression is used, which works but matches both
protocols. Since users won't expect '-m tcp --dport 1' to match UDP
packets, catch missing/wrong '-p' argument.

Fixes: c034cf31dd1a9 ("nft: prefer native expressions instead of udp match")
Signed-off-by: Phil Sutter <phil@nwl.cc>
extensions/libxt_tcp.t patch | blob | blame | history
extensions/libxt_udp.t patch | blob | blame | history
iptables/nft.c patch | blob | blame | history

diff --git a/extensions/libxt_tcp.t b/extensions/libxt_tcp.t
index b0e8006e51869584850ff22f2076b2c9125f30ee..7a3bbd08952f0147d9c9fc34bae49574f3987bd4 100644 (file)
--- a/extensions/libxt_tcp.t
+++ b/extensions/libxt_tcp.t
@@ -22,5 +22,8 @@
 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN;=;OK
 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN;=;OK
 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST;=;OK
+-m tcp --dport 1;;FAIL
+-m tcp --dport 1 -p tcp;-p tcp -m tcp --dport 1;OK
+-m tcp --dport 1 -p 6;-p tcp -m tcp --dport 1;OK
 # should we accept this below?
 -p tcp -m tcp;=;OK
diff --git a/extensions/libxt_udp.t b/extensions/libxt_udp.t
index 1b4d3dd62575989bbfe77027ee03b4fdaa0d1d4c..f534770191a6e198a3c81bb5e7a51814815cbe34 100644 (file)
--- a/extensions/libxt_udp.t
+++ b/extensions/libxt_udp.t
@@ -18,5 +18,8 @@
 # -p udp -m udp --sport 65536;;FAIL
 -p udp -m udp --sport -1;;FAIL
 -p udp -m udp --dport -1;;FAIL
+-m udp --dport 1;;FAIL
+-m udp --dport 1 -p udp;-p udp -m udp --dport 1;OK
+-m udp --dport 1 -p 17;-p udp -m udp --dport 1;OK
 # should we accept this below?
 -p udp -m udp;=;OK
diff --git a/iptables/nft.c b/iptables/nft.c
index 430888e864a5f28b16d5dee0061726331d1c8938..63468cf3b134431bbdeb690f5ed1e108563ef307 100644 (file)
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1360,6 +1360,9 @@ static int add_nft_udp(struct nft_handle *h, struct nftnl_rule *r,
                return ret;
        }
 
+       if (nftnl_rule_get_u32(r, NFTNL_RULE_COMPAT_PROTO) != IPPROTO_UDP)
+               xtables_error(PARAMETER_PROBLEM, "UDP match requires '-p udp'");
+
        return add_nft_tcpudp(h, r, udp->spts, udp->invflags & XT_UDP_INV_SRCPT,
                              udp->dpts, udp->invflags & XT_UDP_INV_DSTPT);
 }
@@ -1410,6 +1413,9 @@ static int add_nft_tcp(struct nft_handle *h, struct nftnl_rule *r,
                return ret;
        }
 
+       if (nftnl_rule_get_u32(r, NFTNL_RULE_COMPAT_PROTO) != IPPROTO_TCP)
+               xtables_error(PARAMETER_PROBLEM, "TCP match requires '-p tcp'");
+
        if (tcp->flg_mask) {
                int ret = add_nft_tcpflags(h, r, tcp->flg_cmp, tcp->flg_mask,
                                           tcp->invflags & XT_TCP_INV_FLAGS);
Mirror of git://git.netfilter.org/iptables