From: Jan Engelhardt <jengelh@inai.de>
Date: Thu, 9 Oct 2025 23:01:43 +0000 (+0200)
Subject: tarpit: check for unicast before looking at exthdrs
X-Git-Tag: v3.30~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dc2df70369f071dbe2b63498ce43ae9780208b4d;p=thirdparty%2Fxtables-addons.git

tarpit: check for unicast before looking at exthdrs

Save a few cycles.
---

diff --git a/extensions/xt_TARPIT.c b/extensions/xt_TARPIT.c
index d7bb361..71967b2 100644
--- a/extensions/xt_TARPIT.c
+++ b/extensions/xt_TARPIT.c
@@ -475,6 +475,11 @@ tarpit_tg6(struct sk_buff *skb, const struct xt_action_param *par)
 		pr_debug("type != PACKET_HOST");
 		return NF_DROP;
 	}
+	if ((!(ipv6_addr_type(&iph->saddr) & IPV6_ADDR_UNICAST)) ||
+	    (!(ipv6_addr_type(&iph->daddr) & IPV6_ADDR_UNICAST))) {
+		pr_debug("addr is not unicast.\n");
+		return NF_DROP;
+	}
 
 	/*
 	 * Our naive response construction does not deal with IP
@@ -485,11 +490,6 @@ tarpit_tg6(struct sk_buff *skb, const struct xt_action_param *par)
 	    &frag_off) != sizeof(struct ipv6hdr))
 		return NF_DROP;
 
-	if ((!(ipv6_addr_type(&iph->saddr) & IPV6_ADDR_UNICAST)) ||
-	    (!(ipv6_addr_type(&iph->daddr) & IPV6_ADDR_UNICAST))) {
-		pr_debug("addr is not unicast.\n");
-		return NF_DROP;
-	}
 	tarpit_tcp6(par, skb, info->variant);
 	return NF_DROP;
 }