[PATCH 3.16.y-ckt 124/129] netfilter: nf_tables: allow to change chain policy without hook if it exists
Luis Henriques
luis.henriques at canonical.com
Fri May 22 08:58:29 UTC 2015
3.16.7-ckt12 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo at netfilter.org>
commit d6b6cb1d3e6f78d55c2d4043d77d0d8def3f3b99 upstream.
If there's an existing base chain, we have to allow to change the
default policy without indicating the hook information.
However, if the chain doesn't exists, we have to enforce the presence of
the hook attribute.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
---
net/netfilter/nf_tables_api.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 41abb8281a4c..7b049cb56825 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -993,7 +993,10 @@ static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
if (nla[NFTA_CHAIN_POLICY]) {
if ((chain != NULL &&
- !(chain->flags & NFT_BASE_CHAIN)) ||
+ !(chain->flags & NFT_BASE_CHAIN)))
+ return -EOPNOTSUPP;
+
+ if (chain == NULL &&
nla[NFTA_CHAIN_HOOK] == NULL)
return -EOPNOTSUPP;
More information about the kernel-team
mailing list