diff options
| author |   Pablo Neira Ayuso <pablo@netfilter.org> | 2019-11-04 14:52:41 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2019-11-04 20:58:35 +0100 |
| commit | 1ed012f6fd83e7ee7efd22e2c32f23efff015b30 (patch) | |
| tree | cfdd7fb6a0ad2e74af5de2edaa5afb9ca18e3944 /net | |
| parent | bridge: ebtables: don't crash when using dnat target in output chains (diff) | |
| download | linux-dev-1ed012f6fd83e7ee7efd22e2c32f23efff015b30.tar.xz linux-dev-1ed012f6fd83e7ee7efd22e2c32f23efff015b30.zip | |
netfilter: nf_tables: bogus EOPNOTSUPP on basechain update
Userspace never includes the NFT_BASE_CHAIN flag, this flag is inferred
from the NFTA_CHAIN_HOOK atribute. The chain update path does not allow
to update flags at this stage, the existing sanity check bogusly hits
EOPNOTSUPP in the basechain case if the offload flag is set on.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net')
| -rw-r--r-- | net/netfilter/nf_tables_api.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index aa26841ad9a1..712a428509ad 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -1922,6 +1922,7 @@ static int nf_tables_newchain(struct net *net, struct sock *nlsk, if (nlh->nlmsg_flags & NLM_F_REPLACE) return -EOPNOTSUPP; + flags |= chain->flags & NFT_BASE_CHAIN; return nf_tables_updchain(&ctx, genmask, policy, flags); } |