From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org
Subject: [PATCH 01/13] netfilter: nf_tables: fix issue with verdict support
Date: Mon, 6 Jan 2014 14:46:30 +0100 [thread overview]
Message-ID: <1389016002-9116-2-git-send-email-pablo@netfilter.org> (raw)
In-Reply-To: <1389016002-9116-1-git-send-email-pablo@netfilter.org>
From: Eric Leblond <eric@regit.org>
The test on verdict was simply done on the value of the verdict
which is not correct as far as queue is concern. In fact, the test
of verdict test must be done with respect to the verdict mask for
verdicts which are not internal to nftables.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_tables_core.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c
index cb9e685..e8fcc34 100644
--- a/net/netfilter/nf_tables_core.c
+++ b/net/netfilter/nf_tables_core.c
@@ -164,7 +164,7 @@ next_rule:
break;
}
- switch (data[NFT_REG_VERDICT].verdict) {
+ switch (data[NFT_REG_VERDICT].verdict & NF_VERDICT_MASK) {
case NF_ACCEPT:
case NF_DROP:
case NF_QUEUE:
@@ -172,6 +172,9 @@ next_rule:
nft_trace_packet(pkt, chain, rulenum, NFT_TRACE_RULE);
return data[NFT_REG_VERDICT].verdict;
+ }
+
+ switch (data[NFT_REG_VERDICT].verdict) {
case NFT_JUMP:
if (unlikely(pkt->skb->nf_trace))
nft_trace_packet(pkt, chain, rulenum, NFT_TRACE_RULE);
--
1.7.10.4
next prev parent reply other threads:[~2014-01-06 13:46 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-06 13:46 [PATCH 00/13] nftables updates for net-next Pablo Neira Ayuso
2014-01-06 13:46 ` Pablo Neira Ayuso [this message]
2014-01-06 13:46 ` [PATCH 02/13] netfilter: xt_NFQUEUE: separate reusable code Pablo Neira Ayuso
2014-01-06 14:02 ` Florian Westphal
2014-01-06 13:46 ` [PATCH 03/13] netfilter: nft: add queue module Pablo Neira Ayuso
2014-01-06 13:46 ` [PATCH 04/13] netfilter: nf_tables: Expose the table usage counter via netlink Pablo Neira Ayuso
2014-01-06 13:46 ` [PATCH 05/13] netfilter: nf_tables: nft_meta module get/set ops Pablo Neira Ayuso
2014-01-06 13:46 ` [PATCH 06/13] netfilter: nf_tables: remove nft_meta_target Pablo Neira Ayuso
2014-01-06 13:46 ` [PATCH 07/13] netfilter: select NFNETLINK when enabling NF_TABLES Pablo Neira Ayuso
2014-01-06 13:46 ` [PATCH 08/13] netfilter: REJECT: separate reusable code Pablo Neira Ayuso
2014-01-06 13:46 ` [PATCH 09/13] netfilter: nft_reject: support for IPv6 and TCP reset Pablo Neira Ayuso
2014-01-06 13:46 ` [PATCH 10/13] netfilter: add help information to new nf_tables Kconfig options Pablo Neira Ayuso
2014-01-06 13:46 ` [PATCH 11/13] netfilter: nf_tables: fix type in parsing in nf_tables_set_alloc_name() Pablo Neira Ayuso
2014-01-06 13:46 ` [PATCH 12/13] netfilter: nf_tables: remove unused variable in nf_tables_dump_set() Pablo Neira Ayuso
2014-01-06 13:46 ` [PATCH 13/13] netfilter: nf_tables: dump sets in all existing families Pablo Neira Ayuso
2014-01-06 18:30 ` [PATCH 00/13] nftables updates for net-next David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1389016002-9116-2-git-send-email-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).