aboutsummaryrefslogtreecommitdiffstats
path: root/target/linux/generic/backport-4.14
diff options
context:
space:
mode:
Diffstat (limited to 'target/linux/generic/backport-4.14')
-rw-r--r--target/linux/generic/backport-4.14/302-netfilter-nf_tables_inet-don-t-use-multihook-infrast.patch5
-rw-r--r--target/linux/generic/backport-4.14/335-netfilter-nf_tables-add-single-table-list-for-all-fa.patch39
2 files changed, 23 insertions, 21 deletions
diff --git a/target/linux/generic/backport-4.14/302-netfilter-nf_tables_inet-don-t-use-multihook-infrast.patch b/target/linux/generic/backport-4.14/302-netfilter-nf_tables_inet-don-t-use-multihook-infrast.patch
index 8649a4864a..17d8b21a0f 100644
--- a/target/linux/generic/backport-4.14/302-netfilter-nf_tables_inet-don-t-use-multihook-infrast.patch
+++ b/target/linux/generic/backport-4.14/302-netfilter-nf_tables_inet-don-t-use-multihook-infrast.patch
@@ -90,11 +90,12 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
- afi = &nft_af_ipv4;
- else
- afi = &nft_af_ipv6;
-+ nft_set_pktinfo(&pkt, skb, state);
-
+-
- ops->pf = afi->family;
- if (afi->hooks[ops->hooknum])
- ops->hook = afi->hooks[ops->hooknum];
++ nft_set_pktinfo(&pkt, skb, state);
++
+ switch (state->pf) {
+ case NFPROTO_IPV4:
+ nft_set_pktinfo_ipv4(&pkt, skb);
diff --git a/target/linux/generic/backport-4.14/335-netfilter-nf_tables-add-single-table-list-for-all-fa.patch b/target/linux/generic/backport-4.14/335-netfilter-nf_tables-add-single-table-list-for-all-fa.patch
index bae2e2879e..b090935cdf 100644
--- a/target/linux/generic/backport-4.14/335-netfilter-nf_tables-add-single-table-list-for-all-fa.patch
+++ b/target/linux/generic/backport-4.14/335-netfilter-nf_tables-add-single-table-list-for-all-fa.patch
@@ -548,24 +548,24 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
- if (family != NFPROTO_UNSPEC && family != afi->family)
+ list_for_each_entry_rcu(table, &net->nft.tables, list) {
+ if (family != NFPROTO_UNSPEC && family != table->afi->family)
++ continue;
++
++ if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
continue;
- list_for_each_entry_rcu(table, &afi->tables, list) {
- if (ctx && ctx->table &&
- strcmp(ctx->table, table->name) != 0)
-- continue;
-+ if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
-+ continue;
++ list_for_each_entry_rcu(chain, &table->chains, list) {
++ if (ctx && ctx->chain &&
++ strcmp(ctx->chain, chain->name) != 0)
+ continue;
- list_for_each_entry_rcu(chain, &table->chains, list) {
- if (ctx && ctx->chain &&
- strcmp(ctx->chain, chain->name) != 0)
- continue;
-+ list_for_each_entry_rcu(chain, &table->chains, list) {
-+ if (ctx && ctx->chain &&
-+ strcmp(ctx->chain, chain->name) != 0)
-+ continue;
-
+-
- list_for_each_entry_rcu(rule, &chain->rules, list) {
- if (!nft_is_active(net, rule))
- goto cont;
@@ -703,19 +703,23 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
- if (cur_family) {
- if (afi->family != cur_family)
+- continue;
+ if (ctx->table && ctx->table != table)
+ continue;
-+
+
+- cur_family = 0;
+- }
+- list_for_each_entry_rcu(table, &afi->tables, list) {
+- if (ctx->table && ctx->table != table)
+ if (cur_table) {
+ if (cur_table != table)
continue;
-- cur_family = 0;
+- if (cur_table) {
+- if (cur_table != table)
+- continue;
+ cur_table = NULL;
- }
-- list_for_each_entry_rcu(table, &afi->tables, list) {
-- if (ctx->table && ctx->table != table)
-- continue;
++ }
+ idx = 0;
+ list_for_each_entry_rcu(set, &table->sets, list) {
+ if (idx < s_idx)
@@ -723,14 +727,11 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+ if (!nft_is_active(net, set))
+ goto cont;
-- if (cur_table) {
-- if (cur_table != table)
-- continue;
+- cur_table = NULL;
+ ctx_set = *ctx;
+ ctx_set.table = table;
+ ctx_set.family = table->afi->family;
-
-- cur_table = NULL;
++
+ if (nf_tables_fill_set(skb, &ctx_set, set,
+ NFT_MSG_NEWSET,
+ NLM_F_MULTI) < 0) {