a654de8fdc
The following ruleset: add table ip filter add chain ip filter input { type filter hook input priority 4; } add chain ip filter ap add rule ip filter input jump ap add rule ip filter ap masquerade results in a panic, because the masquerade extension should be rejected from the filter chain. The existing validation is missing a chain dependency check when the rule is added to the non-base chain. This patch fixes the problem by walking down the rules from the basechains, searching for either immediate or lookup expressions, then jumping to non-base chains and again walking down the rules to perform the expression validation, so we make sure the full ruleset graph is validated. This is done only once from the commit phase, in case of problem, we abort the transaction and perform fine grain validation for error reporting. This patch requires 003087911af2 ("netfilter: nfnetlink: allow commit to fail") to achieve this behaviour. This patch also adds a cleanup callback to nfnl batch interface to reset the validate state from the exit path. As a result of this patch, nf_tables_check_loops() doesn't use ->validate to check for loops, instead it just checks for immediate expressions. Reported-by: Taehee Yoo <ap420073@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
16 lines
275 B
C
16 lines
275 B
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
#ifndef _NETNS_NFTABLES_H_
|
|
#define _NETNS_NFTABLES_H_
|
|
|
|
#include <linux/list.h>
|
|
|
|
struct netns_nftables {
|
|
struct list_head tables;
|
|
struct list_head commit_list;
|
|
unsigned int base_seq;
|
|
u8 gencursor;
|
|
u8 validate_state;
|
|
};
|
|
|
|
#endif
|