@@ -187,11 +187,17 @@ static int em_ipt_match(struct sk_buff *skb, struct tcf_ematch *em,
switch (tc_skb_protocol(skb)) {
case htons(ETH_P_IP):
+ if (im->match->family != NFPROTO_UNSPEC &&
+ im->match->family != NFPROTO_IPV4)
+ return 0;
if (!pskb_network_may_pull(skb, sizeof(struct iphdr)))
return 0;
state.pf = NFPROTO_IPV4;
break;
case htons(ETH_P_IPV6):
+ if (im->match->family != NFPROTO_UNSPEC &&
+ im->match->family != NFPROTO_IPV6)
+ return 0;
if (!pskb_network_may_pull(skb, sizeof(struct ipv6hdr)))
return 0;
state.pf = NFPROTO_IPV6;
Currently a match will continue even if the user-specified nfproto doesn't match the packet's, so restrict it only to when they're equal or the protocol is unspecified. Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com> --- net/sched/em_ipt.c | 6 ++++++ 1 file changed, 6 insertions(+)