>From b52f4de91f4eace20e01524cb487bad0a9e35dc4 Mon Sep 17 00:00:00 2001 From: Andreas Schultz Date: Mon, 1 Jun 2015 15:49:12 +0200 Subject: [PATCH 1/3] netfilter: x_tables: add context to ipt_REJECT, xt_TPROXY and generix x_tables know if extension runs from nft_compat --- net/ipv4/netfilter/ipt_REJECT.c | 2 ++ net/netfilter/x_tables.c | 4 ++-- net/netfilter/xt_TPROXY.c | 6 ++++++ 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c index 87907d4..2f8f76c 100644 --- a/net/ipv4/netfilter/ipt_REJECT.c +++ b/net/ipv4/netfilter/ipt_REJECT.c @@ -76,6 +76,8 @@ static int reject_tg_check(const struct xt_tgchk_param *par) if (rejinfo->with == IPT_ICMP_ECHOREPLY) { pr_info("ECHOREPLY no longer supported.\n"); return -EINVAL; + } else if (par->nft_compat) { + return 0; } else if (rejinfo->with == IPT_TCP_RESET) { /* Must specify that it's a TCP packet */ if (e->ip.proto != IPPROTO_TCP || diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c index 51a459c..fd9b421 100644 --- a/net/netfilter/x_tables.c +++ b/net/netfilter/x_tables.c @@ -400,7 +400,7 @@ int xt_check_match(struct xt_mtchk_param *par, par->family)); return -EINVAL; } - if (par->match->proto && (par->match->proto != proto || inv_proto)) { + if (!par->nft_compat && par->match->proto && (par->match->proto != proto || inv_proto)) { pr_err("%s_tables: %s match: only valid for protocol %u\n", xt_prefix[par->family], par->match->name, par->match->proto); @@ -575,7 +575,7 @@ int xt_check_target(struct xt_tgchk_param *par, par->family)); return -EINVAL; } - if (par->target->proto && (par->target->proto != proto || inv_proto)) { + if (!par->nft_compat && par->target->proto && (par->target->proto != proto || inv_proto)) { pr_err("%s_tables: %s target: only valid for protocol %u\n", xt_prefix[par->family], par->target->name, par->target->proto); diff --git a/net/netfilter/xt_TPROXY.c b/net/netfilter/xt_TPROXY.c index cca96ce..90da66c 100644 --- a/net/netfilter/xt_TPROXY.c +++ b/net/netfilter/xt_TPROXY.c @@ -519,6 +519,9 @@ static int tproxy_tg6_check(const struct xt_tgchk_param *par) { const struct ip6t_ip6 *i = par->entryinfo; + if (par->nft_compat) + return 0; + if ((i->proto == IPPROTO_TCP || i->proto == IPPROTO_UDP) && !(i->invflags & IP6T_INV_PROTO)) return 0; @@ -533,6 +536,9 @@ static int tproxy_tg4_check(const struct xt_tgchk_param *par) { const struct ipt_ip *i = par->entryinfo; + if (par->nft_compat) + return 0; + if ((i->proto == IPPROTO_TCP || i->proto == IPPROTO_UDP) && !(i->invflags & IPT_INV_PROTO)) return 0; -- 2.1.4