diff options
| author |   David S. Miller <davem@davemloft.net> | 2018-10-22 20:21:30 -0700 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2018-10-22 20:21:30 -0700 |
| commit | 807192deb876d7550b5de7bf7a40ea3a4421ae0b (patch) | |
| tree | 8e9a907d89652e39f271d4de314bb7193e930f0f /net/netfilter/nft_osf.c | |
| parent | tls: Add maintainers (diff) | |
| parent | netfilter: nf_flow_table: do not remove offload when other netns's interface is down (diff) | |
| download | linux-dev-807192deb876d7550b5de7bf7a40ea3a4421ae0b.tar.xz linux-dev-807192deb876d7550b5de7bf7a40ea3a4421ae0b.zip | |
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf
Pablo Neira Ayuso says:
====================
Netfilter fixes for net
The following patchset contains Netfilter fixes for your net tree:
1) rbtree lookup from control plane returns the left-hand side element
of the range when the interval end flag is set on.
2) osf extension is not supported from the input path, reject this from
the control plane, from Fernando Fernandez Mancera.
3) xt_TEE is leaving output interface unset due to a recent incorrect
netns rework, from Taehee Yoo.
4) xt_TEE allows to select an interface which does not belong to this
netnamespace, from Taehee Yoo.
5) Zero private extension area in nft_compat, just like we do in x_tables,
otherwise we leak kernel memory to userspace.
6) Missing .checkentry and .destroy entries in new DNAT extensions breaks
it since we never load nf_conntrack dependencies, from Paolo Abeni.
7) Do not remove flowtable hook from netns exit path, the netdevice handler
already deals with this, also from Taehee Yoo.
8) Only cleanup flowtable entries that reside in this netnamespace, also
from Taehee Yoo.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/netfilter/nft_osf.c')
| -rw-r--r-- | net/netfilter/nft_osf.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/net/netfilter/nft_osf.c b/net/netfilter/nft_osf.c index 0b452fd470c4..ca5e5d8c5ef8 100644 --- a/net/netfilter/nft_osf.c +++ b/net/netfilter/nft_osf.c @@ -82,6 +82,15 @@ nla_put_failure: return -1; } +static int nft_osf_validate(const struct nft_ctx *ctx, + const struct nft_expr *expr, + const struct nft_data **data) +{ + return nft_chain_validate_hooks(ctx->chain, (1 << NF_INET_LOCAL_IN) | + (1 << NF_INET_PRE_ROUTING) | + (1 << NF_INET_FORWARD)); +} + static struct nft_expr_type nft_osf_type; static const struct nft_expr_ops nft_osf_op = { .eval = nft_osf_eval, @@ -89,6 +98,7 @@ static const struct nft_expr_ops nft_osf_op = { .init = nft_osf_init, .dump = nft_osf_dump, .type = &nft_osf_type, + .validate = nft_osf_validate, }; static struct nft_expr_type nft_osf_type __read_mostly = { |