diff options
author | Patrick McHardy <kaber@trash.net> | 2007-05-10 17:17:36 -0400 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2007-05-11 02:47:59 -0400 |
commit | 802169a4b0f71d25a0f798a9c0657a565b1e79bc (patch) | |
tree | ec2f1f9906463da2c00d351b2bfb6814a57246c2 /net/ipv4 | |
parent | 4a176c1a61ed279f4d98b6adf9be84fb905d921c (diff) |
[NETFILTER]: iptable_raw: ignore short packets sent by SOCK_RAW sockets
iptables matches and targets expect packets to have at least a full
IP header and a valid header length. Ignore packets sent through
raw sockets for which this isn't true as in the other tables.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv4')
-rw-r--r-- | net/ipv4/netfilter/iptable_raw.c | 21 |
1 files changed, 20 insertions, 1 deletions
diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c index f7d28fd748e2..d6e503395684 100644 --- a/net/ipv4/netfilter/iptable_raw.c +++ b/net/ipv4/netfilter/iptable_raw.c | |||
@@ -5,6 +5,7 @@ | |||
5 | */ | 5 | */ |
6 | #include <linux/module.h> | 6 | #include <linux/module.h> |
7 | #include <linux/netfilter_ipv4/ip_tables.h> | 7 | #include <linux/netfilter_ipv4/ip_tables.h> |
8 | #include <net/ip.h> | ||
8 | 9 | ||
9 | #define RAW_VALID_HOOKS ((1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_LOCAL_OUT)) | 10 | #define RAW_VALID_HOOKS ((1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_LOCAL_OUT)) |
10 | 11 | ||
@@ -54,6 +55,24 @@ ipt_hook(unsigned int hook, | |||
54 | return ipt_do_table(pskb, hook, in, out, &packet_raw); | 55 | return ipt_do_table(pskb, hook, in, out, &packet_raw); |
55 | } | 56 | } |
56 | 57 | ||
58 | static unsigned int | ||
59 | ipt_local_hook(unsigned int hook, | ||
60 | struct sk_buff **pskb, | ||
61 | const struct net_device *in, | ||
62 | const struct net_device *out, | ||
63 | int (*okfn)(struct sk_buff *)) | ||
64 | { | ||
65 | /* root is playing with raw sockets. */ | ||
66 | if ((*pskb)->len < sizeof(struct iphdr) || | ||
67 | ip_hdrlen(*pskb) < sizeof(struct iphdr)) { | ||
68 | if (net_ratelimit()) | ||
69 | printk("iptable_raw: ignoring short SOCK_RAW" | ||
70 | "packet.\n"); | ||
71 | return NF_ACCEPT; | ||
72 | } | ||
73 | return ipt_do_table(pskb, hook, in, out, &packet_raw); | ||
74 | } | ||
75 | |||
57 | /* 'raw' is the very first table. */ | 76 | /* 'raw' is the very first table. */ |
58 | static struct nf_hook_ops ipt_ops[] = { | 77 | static struct nf_hook_ops ipt_ops[] = { |
59 | { | 78 | { |
@@ -64,7 +83,7 @@ static struct nf_hook_ops ipt_ops[] = { | |||
64 | .owner = THIS_MODULE, | 83 | .owner = THIS_MODULE, |
65 | }, | 84 | }, |
66 | { | 85 | { |
67 | .hook = ipt_hook, | 86 | .hook = ipt_local_hook, |
68 | .pf = PF_INET, | 87 | .pf = PF_INET, |
69 | .hooknum = NF_IP_LOCAL_OUT, | 88 | .hooknum = NF_IP_LOCAL_OUT, |
70 | .priority = NF_IP_PRI_RAW, | 89 | .priority = NF_IP_PRI_RAW, |