From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org
Subject: [PATCH 3/6] netfilter: nf_tables: allow to change chain policy without hook if it exists
Date: Sun, 22 Mar 2015 19:46:35 +0100 [thread overview]
Message-ID: <1427049998-5665-4-git-send-email-pablo@netfilter.org> (raw)
In-Reply-To: <1427049998-5665-1-git-send-email-pablo@netfilter.org>
If there's an existing base chain, we have to allow to change the
default policy without indicating the hook information.
However, if the chain doesn't exists, we have to enforce the presence of
the hook attribute.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_tables_api.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 6ab7779..ac1a952 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1225,7 +1225,10 @@ static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
if (nla[NFTA_CHAIN_POLICY]) {
if ((chain != NULL &&
- !(chain->flags & NFT_BASE_CHAIN)) ||
+ !(chain->flags & NFT_BASE_CHAIN)))
+ return -EOPNOTSUPP;
+
+ if (chain == NULL &&
nla[NFTA_CHAIN_HOOK] == NULL)
return -EOPNOTSUPP;
--
1.7.10.4
next prev parent reply other threads:[~2015-03-22 18:46 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-22 18:46 [PATCH 0/6] Netfilter fixes for net Pablo Neira Ayuso
2015-03-22 18:46 ` [PATCH 1/6] netfilter: Zero the tuple in nfnl_cthelper_parse_tuple() Pablo Neira Ayuso
2015-03-22 18:46 ` [PATCH 2/6] netfilter: Fix potential crash in nft_hash walker Pablo Neira Ayuso
2015-03-22 18:46 ` Pablo Neira Ayuso [this message]
2015-03-22 18:46 ` [PATCH 4/6] netfilter: restore rule tracing via nfnetlink_log Pablo Neira Ayuso
2015-03-22 18:46 ` [PATCH 5/6] netfilter: xt_TPROXY: fix invflags check in tproxy_tg6_check() Pablo Neira Ayuso
2015-03-22 18:46 ` [PATCH 6/6] netfilter: nft_compat: set IP6T_F_PROTO flag if protocol is set Pablo Neira Ayuso
2015-03-22 20:57 ` [PATCH 0/6] Netfilter fixes for net David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1427049998-5665-4-git-send-email-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).