1 files changed, 113 insertions, 0 deletions

diff --git a/target/linux/generic/backport-4.19/327-v4.16-netfilter-nf_tables-remove-nhooks-field-from-struct-.patch b/target/linux/generic/backport-4.19/327-v4.16-netfilter-nf_tables-remove-nhooks-field-from-struct-.patch
new file mode 100644
index 0000000000..7d13a59424
--- /dev/null
+++ b/target/linux/generic/backport-4.19/327-v4.16-netfilter-nf_tables-remove-nhooks-field-from-struct-.patch
@@ -0,0 +1,113 @@
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Tue, 19 Dec 2017 13:53:45 +0100
+Subject: [PATCH] netfilter: nf_tables: remove nhooks field from struct
+ nft_af_info
+
+We already validate the hook through bitmask, so this check is
+superfluous. When removing this, this patch is also fixing a bug in the
+new flowtable codebase, since ctx->afi points to the table family
+instead of the netdev family which is where the flowtable is really
+hooked in.
+
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+
+--- a/include/net/netfilter/nf_tables.h
++++ b/include/net/netfilter/nf_tables.h
+@@ -968,7 +968,6 @@ enum nft_af_flags {
+  *
+  *	@list: used internally
+  *	@family: address family
+- *	@nhooks: number of hooks in this family
+  *	@owner: module owner
+  *	@tables: used internally
+  *	@flags: family flags
+@@ -976,7 +975,6 @@ enum nft_af_flags {
+ struct nft_af_info {
+ 	struct list_head		list;
+ 	int				family;
+-	unsigned int			nhooks;
+ 	struct module			*owner;
+ 	struct list_head		tables;
+ 	u32				flags;
+--- a/net/bridge/netfilter/nf_tables_bridge.c
++++ b/net/bridge/netfilter/nf_tables_bridge.c
+@@ -44,7 +44,6 @@ nft_do_chain_bridge(void *priv,
+ 
+ static struct nft_af_info nft_af_bridge __read_mostly = {
+ 	.family		= NFPROTO_BRIDGE,
+-	.nhooks		= NF_BR_NUMHOOKS,
+ 	.owner		= THIS_MODULE,
+ };
+ 
+--- a/net/ipv4/netfilter/nf_tables_arp.c
++++ b/net/ipv4/netfilter/nf_tables_arp.c
+@@ -29,7 +29,6 @@ nft_do_chain_arp(void *priv,
+ 
+ static struct nft_af_info nft_af_arp __read_mostly = {
+ 	.family		= NFPROTO_ARP,
+-	.nhooks		= NF_ARP_NUMHOOKS,
+ 	.owner		= THIS_MODULE,
+ };
+ 
+--- a/net/ipv4/netfilter/nf_tables_ipv4.c
++++ b/net/ipv4/netfilter/nf_tables_ipv4.c
+@@ -32,7 +32,6 @@ static unsigned int nft_do_chain_ipv4(vo
+ 
+ static struct nft_af_info nft_af_ipv4 __read_mostly = {
+ 	.family		= NFPROTO_IPV4,
+-	.nhooks		= NF_INET_NUMHOOKS,
+ 	.owner		= THIS_MODULE,
+ };
+ 
+--- a/net/ipv6/netfilter/nf_tables_ipv6.c
++++ b/net/ipv6/netfilter/nf_tables_ipv6.c
+@@ -30,7 +30,6 @@ static unsigned int nft_do_chain_ipv6(vo
+ 
+ static struct nft_af_info nft_af_ipv6 __read_mostly = {
+ 	.family		= NFPROTO_IPV6,
+-	.nhooks		= NF_INET_NUMHOOKS,
+ 	.owner		= THIS_MODULE,
+ };
+ 
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -1359,9 +1359,6 @@ static int nft_chain_parse_hook(struct n
+ 		return -EINVAL;
+ 
+ 	hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
+-	if (hook->num >= afi->nhooks)
+-		return -EINVAL;
+-
+ 	hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
+ 
+ 	type = chain_type[afi->family][NFT_CHAIN_T_DEFAULT];
+@@ -4987,7 +4984,7 @@ static int nf_tables_flowtable_parse_hoo
+ 		return -EINVAL;
+ 
+ 	hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
+-	if (hooknum >= ctx->afi->nhooks)
++	if (hooknum != NF_NETDEV_INGRESS)
+ 		return -EINVAL;
+ 
+ 	priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
+--- a/net/netfilter/nf_tables_inet.c
++++ b/net/netfilter/nf_tables_inet.c
+@@ -40,7 +40,6 @@ static unsigned int nft_do_chain_inet(vo
+ 
+ static struct nft_af_info nft_af_inet __read_mostly = {
+ 	.family		= NFPROTO_INET,
+-	.nhooks		= NF_INET_NUMHOOKS,
+ 	.owner		= THIS_MODULE,
+ };
+ 
+--- a/net/netfilter/nf_tables_netdev.c
++++ b/net/netfilter/nf_tables_netdev.c
+@@ -40,7 +40,6 @@ nft_do_chain_netdev(void *priv, struct s
+ 
+ static struct nft_af_info nft_af_netdev __read_mostly = {
+ 	.family		= NFPROTO_NETDEV,
+-	.nhooks		= NF_NETDEV_NUMHOOKS,
+ 	.owner		= THIS_MODULE,
+ 	.flags		= NFT_AF_NEEDS_DEV,
+ };