netfilter: ebtables: Fix extension lookup with identical name
If a requested extension exists as module and is not loaded, ebt_check_match() might accidentally use an NFPROTO_UNSPEC one with same name and fail. Reproduced with limit match: Given xt_limit and ebt_limit both built as module, the following would fail: modprobe xt_limit ebtables -I INPUT --limit 1/s -j ACCEPT The fix is to make ebt_check_match() distrust a found NFPROTO_UNSPEC extension and retry after requesting an appropriate module. Cc: Florian Westphal <fw@strlen.de> Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
parent
644c7e48cb
commit
bcf4934288
@ -370,7 +370,11 @@ ebt_check_match(struct ebt_entry_match *m, struct xt_mtchk_param *par,
|
||||
left - sizeof(struct ebt_entry_match) < m->match_size)
|
||||
return -EINVAL;
|
||||
|
||||
match = xt_request_find_match(NFPROTO_BRIDGE, m->u.name, 0);
|
||||
match = xt_find_match(NFPROTO_BRIDGE, m->u.name, 0);
|
||||
if (IS_ERR(match) || match->family != NFPROTO_BRIDGE) {
|
||||
request_module("ebt_%s", m->u.name);
|
||||
match = xt_find_match(NFPROTO_BRIDGE, m->u.name, 0);
|
||||
}
|
||||
if (IS_ERR(match))
|
||||
return PTR_ERR(match);
|
||||
m->u.match = match;
|
||||
|
Loading…
Reference in New Issue
Block a user