From mboxrd@z Thu Jan 1 00:00:00 1970 From: Eric Leblond Subject: [PATCHv3 1/3] netfilter: nft: fix issue with verdict support Date: Thu, 5 Dec 2013 22:31:26 +0100 Message-ID: <1386279088-4895-2-git-send-email-eric@regit.org> References: <20131205170955.GA8663@localhost> <1386279088-4895-1-git-send-email-eric@regit.org> Cc: netfilter-devel@vger.kernel.org, fw@strlen.de, Eric Leblond To: pablo@netfilter.org Return-path: Received: from ks28632.kimsufi.com ([91.121.96.152]:58646 "EHLO ks28632.kimsufi.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750877Ab3LEVbx (ORCPT ); Thu, 5 Dec 2013 16:31:53 -0500 In-Reply-To: <1386279088-4895-1-git-send-email-eric@regit.org> Sender: netfilter-devel-owner@vger.kernel.org List-ID: The test on verdict was simply done on the value of the verdict which is not correct as far as queue is concern. In fact, the test of verdict test must be done with respect to the verdict mask for verdicts which are not internal to nftables. Signed-off-by: Eric Leblond --- net/netfilter/nf_tables_core.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c index cb9e685..e8fcc34 100644 --- a/net/netfilter/nf_tables_core.c +++ b/net/netfilter/nf_tables_core.c @@ -164,7 +164,7 @@ next_rule: break; } - switch (data[NFT_REG_VERDICT].verdict) { + switch (data[NFT_REG_VERDICT].verdict & NF_VERDICT_MASK) { case NF_ACCEPT: case NF_DROP: case NF_QUEUE: @@ -172,6 +172,9 @@ next_rule: nft_trace_packet(pkt, chain, rulenum, NFT_TRACE_RULE); return data[NFT_REG_VERDICT].verdict; + } + + switch (data[NFT_REG_VERDICT].verdict) { case NFT_JUMP: if (unlikely(pkt->skb->nf_trace)) nft_trace_packet(pkt, chain, rulenum, NFT_TRACE_RULE); -- 1.8.5