aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPatrick McHardy <kaber@trash.net>2007-05-10 17:17:36 -0400
committerDavid S. Miller <davem@sunset.davemloft.net>2007-05-11 02:47:59 -0400
commit802169a4b0f71d25a0f798a9c0657a565b1e79bc (patch)
treeec2f1f9906463da2c00d351b2bfb6814a57246c2
parent4a176c1a61ed279f4d98b6adf9be84fb905d921c (diff)
[NETFILTER]: iptable_raw: ignore short packets sent by SOCK_RAW sockets
iptables matches and targets expect packets to have at least a full IP header and a valid header length. Ignore packets sent through raw sockets for which this isn't true as in the other tables. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/ipv4/netfilter/iptable_raw.c21
1 files changed, 20 insertions, 1 deletions
diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c
index f7d28fd748e2..d6e503395684 100644
--- a/net/ipv4/netfilter/iptable_raw.c
+++ b/net/ipv4/netfilter/iptable_raw.c
@@ -5,6 +5,7 @@
5 */ 5 */
6#include <linux/module.h> 6#include <linux/module.h>
7#include <linux/netfilter_ipv4/ip_tables.h> 7#include <linux/netfilter_ipv4/ip_tables.h>
8#include <net/ip.h>
8 9
9#define RAW_VALID_HOOKS ((1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_LOCAL_OUT)) 10#define RAW_VALID_HOOKS ((1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_LOCAL_OUT))
10 11
@@ -54,6 +55,24 @@ ipt_hook(unsigned int hook,
54 return ipt_do_table(pskb, hook, in, out, &packet_raw); 55 return ipt_do_table(pskb, hook, in, out, &packet_raw);
55} 56}
56 57
58static unsigned int
59ipt_local_hook(unsigned int hook,
60 struct sk_buff **pskb,
61 const struct net_device *in,
62 const struct net_device *out,
63 int (*okfn)(struct sk_buff *))
64{
65 /* root is playing with raw sockets. */
66 if ((*pskb)->len < sizeof(struct iphdr) ||
67 ip_hdrlen(*pskb) < sizeof(struct iphdr)) {
68 if (net_ratelimit())
69 printk("iptable_raw: ignoring short SOCK_RAW"
70 "packet.\n");
71 return NF_ACCEPT;
72 }
73 return ipt_do_table(pskb, hook, in, out, &packet_raw);
74}
75
57/* 'raw' is the very first table. */ 76/* 'raw' is the very first table. */
58static struct nf_hook_ops ipt_ops[] = { 77static struct nf_hook_ops ipt_ops[] = {
59 { 78 {
@@ -64,7 +83,7 @@ static struct nf_hook_ops ipt_ops[] = {
64 .owner = THIS_MODULE, 83 .owner = THIS_MODULE,
65 }, 84 },
66 { 85 {
67 .hook = ipt_hook, 86 .hook = ipt_local_hook,
68 .pf = PF_INET, 87 .pf = PF_INET,
69 .hooknum = NF_IP_LOCAL_OUT, 88 .hooknum = NF_IP_LOCAL_OUT,
70 .priority = NF_IP_PRI_RAW, 89 .priority = NF_IP_PRI_RAW,