netfilter: nft_tproxy: restrict support to TCP and UDP transport protocols

[ Upstream commit 52f0f4e178c757b3d356087376aad8bd77271828 ]

Add unfront check for TCP and UDP packets before performing further
processing.

Fixes: 4ed8eb6570a4 ("netfilter: nf_tables: Add native tproxy support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/net/netfilter/nft_tproxy.c b/net/netfilter/nft_tproxy.c
index 43a5a780a6d3b69bcff11b200b135fe13fdebaa6..37c728bdad41cb8e67a0ff8c6cadeeea4af9e6d4 100644 (file)
--- a/net/netfilter/nft_tproxy.c
+++ b/net/netfilter/nft_tproxy.c
@@ -30,6 +30,12 @@ static void nft_tproxy_eval_v4(const struct nft_expr *expr,
        __be16 tport = 0;
        struct sock *sk;
 
+       if (pkt->tprot != IPPROTO_TCP &&
+           pkt->tprot != IPPROTO_UDP) {
+               regs->verdict.code = NFT_BREAK;
+               return;
+       }
+
        hp = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_hdr), &_hdr);
        if (!hp) {
                regs->verdict.code = NFT_BREAK;
@@ -91,7 +97,8 @@ static void nft_tproxy_eval_v6(const struct nft_expr *expr,
 
        memset(&taddr, 0, sizeof(taddr));
 
-       if (!pkt->tprot_set) {
+       if (pkt->tprot != IPPROTO_TCP &&
+           pkt->tprot != IPPROTO_UDP) {
                regs->verdict.code = NFT_BREAK;
                return;
        }