netfilter: nft_tproxy: restrict support to TCP and UDP transport protocols

Add unfront check for TCP and UDP packets before performing further
processing.

Fixes: 4ed8eb6570a4 ("netfilter: nf_tables: Add native tproxy support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/netfilter/nft_tproxy.c b/net/netfilter/nft_tproxy.c
index accef672088c788bd6b7610e2fd795d276391c6e..5cb4d575d47ffa6e9497e23ccbaa44fbff49ab04 100644 (file)
--- a/net/netfilter/nft_tproxy.c
+++ b/net/netfilter/nft_tproxy.c
@@ -30,6 +30,12 @@ static void nft_tproxy_eval_v4(const struct nft_expr *expr,
        __be16 tport = 0;
        struct sock *sk;
 
+       if (pkt->tprot != IPPROTO_TCP &&
+           pkt->tprot != IPPROTO_UDP) {
+               regs->verdict.code = NFT_BREAK;
+               return;
+       }
+
        hp = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_hdr), &_hdr);
        if (!hp) {
                regs->verdict.code = NFT_BREAK;
@@ -91,7 +97,8 @@ static void nft_tproxy_eval_v6(const struct nft_expr *expr,
 
        memset(&taddr, 0, sizeof(taddr));
 
-       if (!pkt->tprot_set) {
+       if (pkt->tprot != IPPROTO_TCP &&
+           pkt->tprot != IPPROTO_UDP) {
                regs->verdict.code = NFT_BREAK;
                return;
        }