netfilter: xt_CT: fix assignation of the generic protocol tracker

`iptables -p all' uses 0 to match all protocols, while the conntrack subsystem uses 255. We still need `-p all' to attach the custom timeout policies for the generic protocol tracker. Moreover, we may use `iptables -p sctp' while the SCTP tracker is not loaded. In that case, we have to default on the generic protocol tracker. Another possibility is `iptables -p ip' that should be supported as well. This patch makes sure we validate all possible scenarios. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

netfilter: xt_CT: fix assignation of the generic protocol tracker
`iptables -p all' uses 0 to match all protocols, while the conntrack subsystem uses 255. We still need `-p all' to attach the custom timeout policies for the generic protocol tracker. Moreover, we may use `iptables -p sctp' while the SCTP tracker is not loaded. In that case, we have to default on the generic protocol tracker. Another possibility is `iptables -p ip' that should be supported as well. This patch makes sure we validate all possible scenarios. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Pablo Neira Ayuso
1 parent 1ac0bf9926
Showing 1 changed file with 8 additions and 1 deletions Side-by-side Diff
net/netfilter/xt_CT.c
@@ -14,6 +14,7 @@
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter/xt_CT.h>
 #include <net/netfilter/nf_conntrack.h>
+#include <net/netfilter/nf_conntrack_l4proto.h>
 #include <net/netfilter/nf_conntrack_helper.h>
 #include <net/netfilter/nf_conntrack_ecache.h>
 #include <net/netfilter/nf_conntrack_l4proto.h>
@@ -224,6 +225,7 @@
  
 		if (timeout_find_get) {
 			const struct ipt_entry *e = par->entryinfo;
+			struct nf_conntrack_l4proto *l4proto;
  
 			if (e->ip.invflags & IPT_INV_PROTO) {
 				ret = -EINVAL;
@@ -245,7 +247,12 @@
 					info->timeout, timeout->l3num);
 				goto err4;
 			}
-			if (timeout->l4proto->l4proto != e->ip.proto) {
+			/* Make sure the timeout policy matches any existing
+			 * protocol tracker, otherwise default to generic.
+			 */
+			l4proto = __nf_ct_l4proto_find(par->family,
+						       e->ip.proto);
+			if (timeout->l4proto->l4proto != l4proto->l4proto) {
 				ret = -EINVAL;
 				pr_info("Timeout policy `%s' can only be "
 					"used by L4 protocol number %d\n",
...	...	@@ -14,6 +14,7 @@
14	14	#include <linux/netfilter/x_tables.h>
15	15	#include <linux/netfilter/xt_CT.h>
16	16	#include <net/netfilter/nf_conntrack.h>
	17	+#include <net/netfilter/nf_conntrack_l4proto.h>
17	18	#include <net/netfilter/nf_conntrack_helper.h>
18	19	#include <net/netfilter/nf_conntrack_ecache.h>
19	20	#include <net/netfilter/nf_conntrack_l4proto.h>
...	...	@@ -224,6 +225,7 @@
224	225
225	226	if (timeout_find_get) {
226	227	const struct ipt_entry *e = par->entryinfo;
	228	+ struct nf_conntrack_l4proto *l4proto;
227	229
228	230	if (e->ip.invflags & IPT_INV_PROTO) {
229	231	ret = -EINVAL;
...	...	@@ -245,7 +247,12 @@
245	247	info->timeout, timeout->l3num);
246	248	goto err4;
247	249	}
248		- if (timeout->l4proto->l4proto != e->ip.proto) {
	250	+ /* Make sure the timeout policy matches any existing
	251	+ * protocol tracker, otherwise default to generic.
	252	+ */
	253	+ l4proto = __nf_ct_l4proto_find(par->family,
	254	+ e->ip.proto);
	255	+ if (timeout->l4proto->l4proto != l4proto->l4proto) {
249	256	ret = -EINVAL;
250	257	pr_info("Timeout policy `%s' can only be "
251	258	"used by L4 protocol number %d\n",