1 files changed, 19 insertions, 2 deletions
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index b0599b98d1b6..a5d0c27cc26f 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -740,6 +740,21 @@ find_check_entry(struct ip6t_entry *e, const char *name, unsigned int size,
        return ret;
 }
+static bool check_underflow(struct ip6t_entry *e)
+{
+        const struct ip6t_entry_target *t;
+        unsigned int verdict;
+        if (!unconditional(&e->ipv6))
+                return false;
+        t = ip6t_get_target(e);
+        if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0)
+                return false;
+        verdict = ((struct ip6t_standard_target *)t)->verdict;
+        verdict = -verdict - 1;
+        return verdict == NF_DROP || verdict == NF_ACCEPT;
+}
 static int
 check_entry_size_and_hooks(struct ip6t_entry *e,
                           struct xt_table_info *newinfo,
@@ -772,8 +787,10 @@ check_entry_size_and_hooks(struct ip6t_entry *e,
                if ((unsigned char *)e - base == hook_entries[h])
                        newinfo->hook_entry[h] = hook_entries[h];
                if ((unsigned char *)e - base == underflows[h]) {
-                        if (!unconditional(&e->ipv6)) {
+                        if (!check_underflow(e)) {
-                                pr_err("Underflows must be unconditional\n");
+                                pr_err("Underflows must be unconditional and "
+                                       "use the STANDARD target with "
+                                       "ACCEPT/DROP\n");
                                return -EINVAL;
                        }
                        newinfo->underflow[h] = underflows[h];

diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c index b0599b98d1b6..a5d0c27cc26f 100644 --- a/net/ipv6/netfilter/ip6_tables.c +++ b/net/ipv6/netfilter/ip6_tables.c
@@ -740,6 +740,21 @@ find_check_entry(struct ip6t_entry e, const char name, unsigned int size,
740	return ret;	740	return ret;
741	}	741	}
742		742
		743	static bool check_underflow(struct ip6t_entry *e)
		744	{
		745	const struct ip6t_entry_target *t;
		746	unsigned int verdict;
		747
		748	if (!unconditional(&e->ipv6))
		749	return false;
		750	t = ip6t_get_target(e);
		751	if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0)
		752	return false;
		753	verdict = ((struct ip6t_standard_target *)t)->verdict;
		754	verdict = -verdict - 1;
		755	return verdict == NF_DROP \|\| verdict == NF_ACCEPT;
		756	}
		757
743	static int	758	static int
744	check_entry_size_and_hooks(struct ip6t_entry *e,	759	check_entry_size_and_hooks(struct ip6t_entry *e,
745	struct xt_table_info *newinfo,	760	struct xt_table_info *newinfo,
@@ -772,8 +787,10 @@ check_entry_size_and_hooks(struct ip6t_entry *e,
772	if ((unsigned char *)e - base == hook_entries[h])	787	if ((unsigned char *)e - base == hook_entries[h])
773	newinfo->hook_entry[h] = hook_entries[h];	788	newinfo->hook_entry[h] = hook_entries[h];
774	if ((unsigned char *)e - base == underflows[h]) {	789	if ((unsigned char *)e - base == underflows[h]) {
775	if (!unconditional(&e->ipv6)) {	790	if (!check_underflow(e)) {
776	pr_err("Underflows must be unconditional\n");	791	pr_err("Underflows must be unconditional and "
		792	"use the STANDARD target with "
		793	"ACCEPT/DROP\n");
777	return -EINVAL;	794	return -EINVAL;
778	}	795	}
779	newinfo->underflow[h] = underflows[h];	796	newinfo->underflow[h] = underflows[h];