diff options
Diffstat (limited to 'target/linux/generic/backport-4.14/327-v4.16-netfilter-nf_tables-remove-nhooks-field-from-struct-.patch')
-rw-r--r-- | target/linux/generic/backport-4.14/327-v4.16-netfilter-nf_tables-remove-nhooks-field-from-struct-.patch | 113 |
1 files changed, 113 insertions, 0 deletions
diff --git a/target/linux/generic/backport-4.14/327-v4.16-netfilter-nf_tables-remove-nhooks-field-from-struct-.patch b/target/linux/generic/backport-4.14/327-v4.16-netfilter-nf_tables-remove-nhooks-field-from-struct-.patch new file mode 100644 index 0000000000..ac38477ca6 --- /dev/null +++ b/target/linux/generic/backport-4.14/327-v4.16-netfilter-nf_tables-remove-nhooks-field-from-struct-.patch @@ -0,0 +1,113 @@ +From: Pablo Neira Ayuso <pablo@netfilter.org> +Date: Tue, 19 Dec 2017 13:53:45 +0100 +Subject: [PATCH] netfilter: nf_tables: remove nhooks field from struct + nft_af_info + +We already validate the hook through bitmask, so this check is +superfluous. When removing this, this patch is also fixing a bug in the +new flowtable codebase, since ctx->afi points to the table family +instead of the netdev family which is where the flowtable is really +hooked in. + +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +--- + +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -963,7 +963,6 @@ enum nft_af_flags { + * + * @list: used internally + * @family: address family +- * @nhooks: number of hooks in this family + * @owner: module owner + * @tables: used internally + * @flags: family flags +@@ -971,7 +970,6 @@ enum nft_af_flags { + struct nft_af_info { + struct list_head list; + int family; +- unsigned int nhooks; + struct module *owner; + struct list_head tables; + u32 flags; +--- a/net/bridge/netfilter/nf_tables_bridge.c ++++ b/net/bridge/netfilter/nf_tables_bridge.c +@@ -44,7 +44,6 @@ nft_do_chain_bridge(void *priv, + + static struct nft_af_info nft_af_bridge __read_mostly = { + .family = NFPROTO_BRIDGE, +- .nhooks = NF_BR_NUMHOOKS, + .owner = THIS_MODULE, + }; + +--- a/net/ipv4/netfilter/nf_tables_arp.c ++++ b/net/ipv4/netfilter/nf_tables_arp.c +@@ -29,7 +29,6 @@ nft_do_chain_arp(void *priv, + + static struct nft_af_info nft_af_arp __read_mostly = { + .family = NFPROTO_ARP, +- .nhooks = NF_ARP_NUMHOOKS, + .owner = THIS_MODULE, + }; + +--- a/net/ipv4/netfilter/nf_tables_ipv4.c ++++ b/net/ipv4/netfilter/nf_tables_ipv4.c +@@ -32,7 +32,6 @@ static unsigned int nft_do_chain_ipv4(vo + + static struct nft_af_info nft_af_ipv4 __read_mostly = { + .family = NFPROTO_IPV4, +- .nhooks = NF_INET_NUMHOOKS, + .owner = THIS_MODULE, + }; + +--- a/net/ipv6/netfilter/nf_tables_ipv6.c ++++ b/net/ipv6/netfilter/nf_tables_ipv6.c +@@ -30,7 +30,6 @@ static unsigned int nft_do_chain_ipv6(vo + + static struct nft_af_info nft_af_ipv6 __read_mostly = { + .family = NFPROTO_IPV6, +- .nhooks = NF_INET_NUMHOOKS, + .owner = THIS_MODULE, + }; + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -1328,9 +1328,6 @@ static int nft_chain_parse_hook(struct n + return -EINVAL; + + hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM])); +- if (hook->num >= afi->nhooks) +- return -EINVAL; +- + hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY])); + + type = chain_type[afi->family][NFT_CHAIN_T_DEFAULT]; +@@ -4919,7 +4916,7 @@ static int nf_tables_flowtable_parse_hoo + return -EINVAL; + + hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM])); +- if (hooknum >= ctx->afi->nhooks) ++ if (hooknum != NF_NETDEV_INGRESS) + return -EINVAL; + + priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY])); +--- a/net/netfilter/nf_tables_inet.c ++++ b/net/netfilter/nf_tables_inet.c +@@ -40,7 +40,6 @@ static unsigned int nft_do_chain_inet(vo + + static struct nft_af_info nft_af_inet __read_mostly = { + .family = NFPROTO_INET, +- .nhooks = NF_INET_NUMHOOKS, + .owner = THIS_MODULE, + }; + +--- a/net/netfilter/nf_tables_netdev.c ++++ b/net/netfilter/nf_tables_netdev.c +@@ -40,7 +40,6 @@ nft_do_chain_netdev(void *priv, struct s + + static struct nft_af_info nft_af_netdev __read_mostly = { + .family = NFPROTO_NETDEV, +- .nhooks = NF_NETDEV_NUMHOOKS, + .owner = THIS_MODULE, + .flags = NFT_AF_NEEDS_DEV, + }; |