netfilter: nf_tables: delay chain policy update until transaction is complete - linux-dev - Linux kernel development work

diff options

author	Florian Westphal <fw@strlen.de>	2019-04-12 11:09:25 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2019-04-30 13:47:32 +0200
commit	66293c46c9314d2b3e80be829a48fed17a848146 (patch)
tree	67f8105ef2babdb19eed62de9caf3e35061ee1bc /net/netfilter/nft_flow_offload.c
parent	ipv6/flowlabel: wait rcu grace period before put_pid() (diff)
download	linux-dev-66293c46c9314d2b3e80be829a48fed17a848146.tar.xz linux-dev-66293c46c9314d2b3e80be829a48fed17a848146.zip

netfilter: nf_tables: delay chain policy update until transaction is complete

When we process a long ruleset of the form chain input { type filter hook input priority filter; policy drop; ... } Then the base chain gets registered early on, we then continue to process/validate the next messages coming in the same transaction. Problem is that if the base chain policy is 'drop', it will take effect immediately, which causes all traffic to get blocked until the transaction completes or is aborted. Fix this by deferring the policy until the transaction has been processed and all of the rules have been flagged as active. Reported-by: Jann Haber <jann.haber@selfnet.de> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Diffstat (limited to 'net/netfilter/nft_flow_offload.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: