netfilter: ip6t_REJECT: check for IP6T_F_PROTO

Make sure IP6T_F_PROTO is set to enforce layer 4 protocol matching from
the ip6_tables core.

Suggested-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c
index 544b0a9da1b59db2fc59cbaf11a1eccd1de8dd3f..12331efd49cf865b2e3ce934a734af47f77928a1 100644 (file)
--- a/net/ipv6/netfilter/ip6t_REJECT.c
+++ b/net/ipv6/netfilter/ip6t_REJECT.c
@@ -83,7 +83,8 @@ static int reject_tg6_check(const struct xt_tgchk_param *par)
                return -EINVAL;
        } else if (rejinfo->with == IP6T_TCP_RESET) {
                /* Must specify that it's a TCP packet */
-               if (e->ipv6.proto != IPPROTO_TCP ||
+               if (!(e->ipv6.flags & IP6T_F_PROTO) ||
+                   e->ipv6.proto != IPPROTO_TCP ||
                    (e->ipv6.invflags & XT_INV_PROTO)) {
                        pr_info("TCP_RESET illegal for non-tcp\n");
                        return -EINVAL;