Skip to content

Commit

Permalink
netfilter: nf_queue: fix reinject verdict handling
Browse files Browse the repository at this point in the history 
This patch fixes netfilter hook traversal when there are more than 1 hooks
returning NF_QUEUE verdict. When the first queue reinjects the packet,
'nf_reinject' starts traversing hooks with a proper hook_index. However,
if it again receives a NF_QUEUE verdict (by some other netfilter hook), it
queues the packet with a wrong hook_index. So, when the second queue
reinjects the packet, it re-executes hooks in between.

Fixes: 960632e ("netfilter: convert hook list to an array")
Signed-off-by: Jagdish Motwani <jagdish.motwani@sophos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  • Loading branch information
Jagdish Motwani authored and Pablo Neira Ayuso committed May 21, 2019
1 parent 2c82c7e commit 946c0d8
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions net/netfilter/nf_queue.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -255,6 +255,7 @@ static unsigned int nf_iterate(struct sk_buff *skb,
repeat:
verdict = nf_hook_entry_hookfn(hook, skb, state);
if (verdict != NF_ACCEPT) {
*index = i;
if (verdict != NF_REPEAT)
return verdict;
goto repeat;
Expand Down

0 comments on commit 946c0d8

Please sign in to comment.