Skip to content
This repository has been archived by the owner on Sep 24, 2020. It is now read-only.

Commit

Permalink
netfilter: nf_queue: fix reinject verdict handling
Browse files Browse the repository at this point in the history 
[ Upstream commit 946c0d8 ]

This patch fixes netfilter hook traversal when there are more than 1 hooks
returning NF_QUEUE verdict. When the first queue reinjects the packet,
'nf_reinject' starts traversing hooks with a proper hook_index. However,
if it again receives a NF_QUEUE verdict (by some other netfilter hook), it
queues the packet with a wrong hook_index. So, when the second queue
reinjects the packet, it re-executes hooks in between.

Fixes: 960632e ("netfilter: convert hook list to an array")
Signed-off-by: Jagdish Motwani <jagdish.motwani@sophos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
  • Loading branch information
@gregkh
Jagdish Motwani authored and gregkh committed Jun 22, 2019
1 parent 5a9c29c commit 883ce78
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions net/netfilter/nf_queue.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -238,6 +238,7 @@ static unsigned int nf_iterate(struct sk_buff *skb,
repeat:
verdict = nf_hook_entry_hookfn(hook, skb, state);
if (verdict != NF_ACCEPT) {
*index = i;
if (verdict != NF_REPEAT)
return verdict;
goto repeat;
Expand Down

0 comments on commit 883ce78

Please sign in to comment.