Skip to content

Commit b336fdb

Browse files
ummakynesummakynes
committed
netfilter: nft_osf: restrict it to ipv4
This expression only supports for ipv4, restrict it. Fixes: b96af92 ("netfilter: nf_tables: implement Passive OS fingerprint module in nft_osf") Acked-by: Florian Westphal <fw@strlen.de> Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
1 parent a663bac commit b336fdb

1 file changed

Lines changed: 5 additions & 1 deletion

File tree

net/netfilter/nft_osf.c

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,11 @@ static void nft_osf_eval(const struct nft_expr *expr, struct nft_regs *regs,
2828
struct nf_osf_data data;
2929
struct tcphdr _tcph;
3030

31+
if (nft_pf(pkt) != NFPROTO_IPV4) {
32+
regs->verdict.code = NFT_BREAK;
33+
return;
34+
}
35+
3136
if (pkt->tprot != IPPROTO_TCP) {
3237
regs->verdict.code = NFT_BREAK;
3338
return;
@@ -114,7 +119,6 @@ static int nft_osf_validate(const struct nft_ctx *ctx,
114119

115120
switch (ctx->family) {
116121
case NFPROTO_IPV4:
117-
case NFPROTO_IPV6:
118122
case NFPROTO_INET:
119123
hooks = (1 << NF_INET_LOCAL_IN) |
120124
(1 << NF_INET_PRE_ROUTING) |

0 commit comments

Comments
 (0)