diff options
| -rw-r--r-- | net/ipv4/netfilter/ipt_ecn.c | 4 |
1 files changed, 1 insertions, 3 deletions
diff --git a/net/ipv4/netfilter/ipt_ecn.c b/net/ipv4/netfilter/ipt_ecn.c index af6e9c77834..aaa85be1b2d 100644 --- a/net/ipv4/netfilter/ipt_ecn.c +++ b/net/ipv4/netfilter/ipt_ecn.c | |||
| @@ -76,8 +76,6 @@ static bool ecn_mt(const struct sk_buff *skb, struct xt_action_param *par) | |||
| 76 | return false; | 76 | return false; |
| 77 | 77 | ||
| 78 | if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR)) { | 78 | if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR)) { |
| 79 | if (ip_hdr(skb)->protocol != IPPROTO_TCP) | ||
| 80 | return false; | ||
| 81 | if (!match_tcp(skb, info, &par->hotdrop)) | 79 | if (!match_tcp(skb, info, &par->hotdrop)) |
| 82 | return false; | 80 | return false; |
| 83 | } | 81 | } |
| @@ -97,7 +95,7 @@ static int ecn_mt_check(const struct xt_mtchk_param *par) | |||
| 97 | return -EINVAL; | 95 | return -EINVAL; |
| 98 | 96 | ||
| 99 | if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR) && | 97 | if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR) && |
| 100 | ip->proto != IPPROTO_TCP) { | 98 | (ip->proto != IPPROTO_TCP || ip->invflags & IPT_INV_PROTO)) { |
| 101 | pr_info("cannot match TCP bits in rule for non-tcp packets\n"); | 99 | pr_info("cannot match TCP bits in rule for non-tcp packets\n"); |
| 102 | return -EINVAL; | 100 | return -EINVAL; |
| 103 | } | 101 | } |