[3.16.y-ckt stable] Patch "netfilter: nft_compat: set IP6T_F_PROTO flag if protocol is set" has been added to staging queue

Luis Henriques luis.henriques at canonical.com
Wed May 20 12:31:51 UTC 2015 

This is a note to let you know that I have just added a patch titled

    netfilter: nft_compat: set IP6T_F_PROTO flag if protocol is set

to the linux-3.16.y-queue branch of the 3.16.y-ckt extended stable tree 
which can be found at:

    http://kernel.ubuntu.com/git/ubuntu/linux.git/log/?h=linux-3.16.y-queue

This patch is scheduled to be released in version 3.16.7-ckt12.

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.16.y-ckt tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Luis

------

>From 0d7bf415bda560aae97dbac578f4f5a2e13b198e Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Sat, 21 Mar 2015 19:25:05 +0100
Subject: netfilter: nft_compat: set IP6T_F_PROTO flag if protocol is set

commit 749177ccc74f9c6d0f51bd78a15c652a2134aa11 upstream.

ip6tables extensions check for this flag to restrict match/target to a
given protocol. Without this flag set, SYNPROXY6 returns an error.

Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
Acked-by: Patrick McHardy <kaber at trash.net>
Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
---
 net/netfilter/nft_compat.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
index 318e1f1b0e4c..4b8de88bb49d 100644
--- a/net/netfilter/nft_compat.c
+++ b/net/netfilter/nft_compat.c
@@ -82,6 +82,9 @@ nft_target_set_tgchk_param(struct xt_tgchk_param *par,
 		entry->e4.ip.invflags = inv ? IPT_INV_PROTO : 0;
 		break;
 	case AF_INET6:
+		if (proto)
+			entry->e6.ipv6.flags |= IP6T_F_PROTO;
+
 		entry->e6.ipv6.proto = proto;
 		entry->e6.ipv6.invflags = inv ? IP6T_INV_PROTO : 0;
 		break;
@@ -322,6 +325,9 @@ nft_match_set_mtchk_param(struct xt_mtchk_param *par, const struct nft_ctx *ctx,
 		entry->e4.ip.invflags = inv ? IPT_INV_PROTO : 0;
 		break;
 	case AF_INET6:
+		if (proto)
+			entry->e6.ipv6.flags |= IP6T_F_PROTO;
+
 		entry->e6.ipv6.proto = proto;
 		entry->e6.ipv6.invflags = inv ? IP6T_INV_PROTO : 0;
 		break;

More information about the kernel-team mailing list