* [PATCH nf] netfilter: nftables: permit any priority for nat hooks
@ 2020-08-14 13:07 Florian Westphal
0 siblings, 0 replies; only message in thread
From: Florian Westphal @ 2020-08-14 13:07 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
This reverts
commit 84ba7dd71add ("netfilter: nf_tables: reject nat hook registration if prio is before conntrack")
As of commit 9971a514ed2697e ("netfilter: nf_nat: add nat type hooks to nat core")
NAT hooks are always called from a fixed chain priority. The priority is
only used to order a nat chain wrt. other nat base chains, not arbitrary
hook functions. Even INT_MIN will not call the nat hook before conntrack
anymore.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
net/netfilter/nf_tables_api.c | 4 ----
1 file changed, 4 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index fd814e514f94..6e2a75223882 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1831,10 +1831,6 @@ static int nft_chain_parse_hook(struct net *net,
if (hook->num > NF_MAX_HOOKS || !(type->hook_mask & (1 << hook->num)))
return -EOPNOTSUPP;
- if (type->type == NFT_CHAIN_T_NAT &&
- hook->priority <= NF_IP_PRI_CONNTRACK)
- return -EOPNOTSUPP;
-
if (!try_module_get(type->owner))
return -ENOENT;
--
2.26.2
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2020-08-14 13:07 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-08-14 13:07 [PATCH nf] netfilter: nftables: permit any priority for nat hooks Florian Westphal
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).