Currently a match will continue even if the user-specified nfproto
doesn't match the packet's, so restrict it only to when they're equal or
the protocol is unspecified.
Signed-off-by: Nikolay Aleksandrov <niko...@cumulusnetworks.com>
---
net/sched/em_ipt.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/sched/em_ipt.c b/net/sched/em_ipt.c
index 23965a071177..d4257f5f1d94 100644
--- a/net/sched/em_ipt.c
+++ b/net/sched/em_ipt.c
@@ -187,11 +187,17 @@ static int em_ipt_match(struct sk_buff *skb, struct
tcf_ematch *em,
switch (tc_skb_protocol(skb)) {
case htons(ETH_P_IP):
+ if (im->match->family != NFPROTO_UNSPEC &&
+ im->match->family != NFPROTO_IPV4)
+ return 0;
if (!pskb_network_may_pull(skb, sizeof(struct iphdr)))
return 0;
state.pf = NFPROTO_IPV4;
break;
case htons(ETH_P_IPV6):
+ if (im->match->family != NFPROTO_UNSPEC &&
+ im->match->family != NFPROTO_IPV6)
+ return 0;
if (!pskb_network_may_pull(skb, sizeof(struct ipv6hdr)))
return 0;
state.pf = NFPROTO_IPV6;
--
2.20.1
