netfilter: nf_tables: restrict nat/masq expressions to nat chain type - starfive-tech/linux.git - StarFive Tech Linux Kernel for VisionFive (JH7110) boards (mirror)

diff options

author	Pablo Neira Ayuso <pablo@netfilter.org>	2014-10-13 21:50:22 +0400
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2014-10-13 22:42:00 +0400
commit	7210e4e38f945dfa173c4a4e59ad827c9ecad541 (patch)
tree	f86826588257abd66235761163e113bfdd82594f /ipc
parent	ab2d7251d666995740da17b2a51ca545ac5dd037 (diff)
download	linux-7210e4e38f945dfa173c4a4e59ad827c9ecad541.tar.xz

netfilter: nf_tables: restrict nat/masq expressions to nat chain type

This adds the missing validation code to avoid the use of nat/masq from non-nat chains. The validation assumes two possible configuration scenarios: 1) Use of nat from base chain that is not of nat type. Reject this configuration from the nft_*_init() path of the expression. 2) Use of nat from non-base chain. In this case, we have to wait until the non-base chain is referenced by at least one base chain via jump/goto. This is resolved from the nft_*_validate() path which is called from nf_tables_check_loops(). The user gets an -EOPNOTSUPP in both cases. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Diffstat (limited to 'ipc')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: