netfilter: ipt_ecn: fix protocol check in ecn_mt_check()

Check for protocol inversion in ecn_mt_check() and remove the
unnecessary runtime check for IPPROTO_TCP in ecn_mt().

Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/ipv4/netfilter/ipt_ecn.c b/net/ipv4/netfilter/ipt_ecn.c
index af6e9c778345ff802916cc7fa0078cbd79735c81..aaa85be1b2d8bd9c336ffd1c54b806a286e50426 100644 (file)
--- a/net/ipv4/netfilter/ipt_ecn.c
+++ b/net/ipv4/netfilter/ipt_ecn.c
@@ -76,8 +76,6 @@ static bool ecn_mt(const struct sk_buff *skb, struct xt_action_param *par)
                        return false;
 
        if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR)) {
-               if (ip_hdr(skb)->protocol != IPPROTO_TCP)
-                       return false;
                if (!match_tcp(skb, info, &par->hotdrop))
                        return false;
        }
@@ -97,7 +95,7 @@ static int ecn_mt_check(const struct xt_mtchk_param *par)
                return -EINVAL;
 
        if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR) &&
-           ip->proto != IPPROTO_TCP) {
+           (ip->proto != IPPROTO_TCP || ip->invflags & IPT_INV_PROTO)) {
                pr_info("cannot match TCP bits in rule for non-tcp packets\n");
                return -EINVAL;
        }