netfilter: nfnetlink_queue: Solve the NFQUEUE/conntrack clash for NF_REPEAT

NF_REPEAT places the packet at the beginning of the iptables chain instead of accepting or rejecting it right away. The packet however will reach the end of the chain and continue to the end of iptables eventually, so it needs the same handling as NF_ACCEPT and NF_DROP. Fixes: 368982cd ("netfilter: nfnetlink_queue: resolve clash for unconfirmed conntracks") Signed-off-by: N Michal 'vorner' Vaner <michal.vaner@avast.com> Signed-off-by: N Pablo Neira Ayuso <pablo@netfilter.org>

netfilter: nfnetlink_queue: Solve the NFQUEUE/conntrack clash for NF_REPEAT
NF_REPEAT places the packet at the beginning of the iptables chain instead of accepting or rejecting it right away. The packet however will reach the end of the chain and continue to the end of iptables eventually, so it needs the same handling as NF_ACCEPT and NF_DROP. Fixes: 368982cd ("netfilter: nfnetlink_queue: resolve clash for unconfirmed conntracks") Signed-off-by: N Michal 'vorner' Vaner <michal.vaner@avast.com> Signed-off-by: N Pablo Neira Ayuso <pablo@netfilter.org>
ad18d7bf · Michal 'vorner' Vaner · Pablo Neira Ayuso · 99e25d07 · ad18d7bf
隐藏空白更改
内联并排

Showing with 1 addition and 0 deletion

net/netfilter/nfnetlink_queue.c net/netfilter/nfnetlink_queue.c +1 -0

未找到文件。
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -233,6 +233,7 @@ static void nfqnl_reinject(struct nf_queue_entry *entry, unsigned int verdict)
 	int err;

 	if (verdict == NF_ACCEPT ||
+	    verdict == NF_REPEAT ||
 	    verdict == NF_STOP) {
 		rcu_read_lock();
 		ct_hook = rcu_dereference(nf_ct_hook);