[3.16.y-ckt stable] Patch "netfilter: nf_tables: allow to change chain policy without hook if it exists" has been added to staging queue

[Luis Henriques]

This is a note to let you know that I have just added a patch titled

    netfilter: nf_tables: allow to change chain policy without hook if it exists

to the linux-3.16.y-queue branch of the 3.16.y-ckt extended stable tree 
which can be found at:

    http://kernel.ubuntu.com/git/ubuntu/linux.git/log/?h=linux-3.16.y-queue

This patch is scheduled to be released in version 3.16.7-ckt12.

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.16.y-ckt tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Luis

------

>From 27c7cbcb9b0c7f5f2a1c4d82f8174ff8ccd0babc Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Tue, 17 Mar 2015 13:21:42 +0100
Subject: netfilter: nf_tables: allow to change chain policy without hook if it
 exists

commit d6b6cb1d3e6f78d55c2d4043d77d0d8def3f3b99 upstream.

If there's an existing base chain, we have to allow to change the
default policy without indicating the hook information.

However, if the chain doesn't exists, we have to enforce the presence of
the hook attribute.

Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
---
 net/netfilter/nf_tables_api.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 41abb8281a4c..7b049cb56825 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -993,7 +993,10 @@ static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,

 	if (nla[NFTA_CHAIN_POLICY]) {
 		if ((chain != NULL &&
-		    !(chain->flags & NFT_BASE_CHAIN)) ||
+		    !(chain->flags & NFT_BASE_CHAIN)))
+			return -EOPNOTSUPP;
+
+		if (chain == NULL &&
 		    nla[NFTA_CHAIN_HOOK] == NULL)
 			return -EOPNOTSUPP;