netfilter: nf_conntrack: restrict NAT helper invocation to IPv4

[firefly-linux-kernel-4.4.55.git] / net / netfilter / nf_conntrack_ftp.c

diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c
index 4bb771d1f57af53545b9eb36687ba000fd535fde..3e1587e63c0342b24bebf7642c889366c5db7746 100644 (file)
--- a/net/netfilter/nf_conntrack_ftp.c
+++ b/net/netfilter/nf_conntrack_ftp.c
@@ -487,7 +487,8 @@ static int help(struct sk_buff *skb,
        /* Now, NAT might want to mangle the packet, and register the
         * (possibly changed) expectation itself. */
        nf_nat_ftp = rcu_dereference(nf_nat_ftp_hook);
-       if (nf_nat_ftp && ct->status & IPS_NAT_MASK)
+       if (nf_nat_ftp && nf_ct_l3num(ct) == NFPROTO_IPV4 &&
+           ct->status & IPS_NAT_MASK)
                ret = nf_nat_ftp(skb, ctinfo, search[dir][i].ftptype,
                                 matchoff, matchlen, exp);
        else {