netfilter: xt_set: Check hook mask correctly

Inserting rule before one with SET target we get error with warning in dmesg(1) output: # iptables -A FORWARD -t mangle -j SET --map-set test src --map-prio # iptables -I FORWARD 1 -t mangle -j ACCEPT iptables: Invalid argument. Run `dmesg' for more information. # dmesg |tail -n1 [268578.026643] mapping of prio or/and queue is allowed only from \ OUTPUT/FORWARD/POSTROUTING chains Rather than checking for supported hook bits for SET target check for unsupported one as done in all rest of matches and targets. Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
2018-06-05 11:46:13 +02:00 · 2018-06-05 11:46:13 +02:00 · 9dcceb1378
commit 9dcceb1378
parent 6fcc02e3c2
1 changed files with 1 additions and 1 deletions
--- a/net/netfilter/xt_set.c
+++ b/net/netfilter/xt_set.c
@ -470,7 +470,7 @@ set_target_v3_checkentry(const struct xt_tgchk_param *par)
 		}
 		if (((info->flags & IPSET_FLAG_MAP_SKBPRIO) |
 		     (info->flags & IPSET_FLAG_MAP_SKBQUEUE)) &&
-		     !(par->hook_mask & (1 << NF_INET_FORWARD |
+		     (par->hook_mask & ~(1 << NF_INET_FORWARD |
 					 1 << NF_INET_LOCAL_OUT |
 					 1 << NF_INET_POST_ROUTING))) {
 			pr_info_ratelimited("mapping of prio or/and queue is allowed only from OUTPUT/FORWARD/POSTROUTING chains\n");