On Mon, Aug 20, 2018 at 01:34:58PM +0200, Florian Westphal wrote:
> @@ -43,6 +48,18 @@ static int checksum_tg_check(const struct xt_tgchk_param
> *par)
> if (!einfo->operation)
> return -EINVAL;
>
> + switch (par->family) {
> + case NFPROTO_IPV4:
> + if (i4->proto == IPPROTO_UDP && (i4->invflags & XT_INV_PROTO)
> == 0)
> + return 0;
> + break;
> + case NFPROTO_IPV6:
> + if (i6->proto == IPPROTO_UDP && (i6->invflags & XT_INV_PROTO)
> == 0)
> + return 0;
> + break;
> + }
> +
> + pr_warn_once("CHECKSUM should be avoided. If really needed, restrict
> with \"-p udp\" and only use in OUTPUT\n");
> return 0;
> }
>
In the IPv6 branch, you should also check (i6->flags & IP6T_F_PROTO).
It's probably not a big deal but as other places chekcing protocol
do that, it would be better to be consistent.
The rest looks fine to me.
Michal Kubecek
