From: Chris Wright Date: Wed, 11 Jan 2006 07:25:31 +0000 (-0800) Subject: ebtables fix wrt. IP fragments, fwd from DaveM X-Git-Tag: v2.6.14.7~32 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e684eee8ed61e5daf6a1176dde90270c4544977b;p=thirdparty%2Fkernel%2Fstable-queue.git ebtables fix wrt. IP fragments, fwd from DaveM --- diff --git a/queue/fix-bridge-netfilter-matching-ip-fragments.patch b/queue/fix-bridge-netfilter-matching-ip-fragments.patch new file mode 100644 index 00000000000..afca55b048b --- /dev/null +++ b/queue/fix-bridge-netfilter-matching-ip-fragments.patch @@ -0,0 +1,35 @@ +From stable-bounces@linux.kernel.org Tue Jan 10 13:19:27 2006 +Date: Tue, 10 Jan 2006 13:13:45 -0800 (PST) +Message-Id: <20060110.131345.37717560.davem@davemloft.net> +To: stable@kernel.org +From: "David S. Miller" +Subject: [EBTABLES] Don't match tcp/udp source/destination port for IP fragments + +From: Bart De Schuymer + +Signed-off-by: Bart De Schuymer +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright +--- + net/bridge/netfilter/ebt_ip.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- linux-2.6.15.y.orig/net/bridge/netfilter/ebt_ip.c ++++ linux-2.6.15.y/net/bridge/netfilter/ebt_ip.c +@@ -15,6 +15,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -51,6 +52,8 @@ static int ebt_filter_ip(const struct sk + if (!(info->bitmask & EBT_IP_DPORT) && + !(info->bitmask & EBT_IP_SPORT)) + return EBT_MATCH; ++ if (ntohs(ih->frag_off) & IP_OFFSET) ++ return EBT_NOMATCH; + pptr = skb_header_pointer(skb, ih->ihl*4, + sizeof(_ports), &_ports); + if (pptr == NULL) diff --git a/queue/series b/queue/series index 2779d42c440..a9e41d3534d 100644 --- a/queue/series +++ b/queue/series @@ -8,3 +8,4 @@ fix-workqueue-oops-during-cpu-offline.patch netlink-oops-fix-due-to-incorrect-error-code.patch netfilter-fix-crash-in-ip_nat_pptp.patch netfilter-fix-another-crash-in-ip_nat_pptp.patch +fix-bridge-netfilter-matching-ip-fragments.patch