diff options
| author | Eric Leblond | 2013-11-30 11:56:17 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso | 2013-12-07 23:20:44 +0100 |
| commit | e569bdab35fd0d31cecb6b072e95af1834991f9d (patch) | |
| tree | 7d1453847d99dd321fae66a5d80443010b43454e /net/netfilter/nf_tables_core.c | |
| parent | Merge branch 'for-davem' of git://git.kernel.org/pub/scm/linux/kernel/git/lin... (diff) | |
| download | kernel-qcow2-linux-e569bdab35fd0d31cecb6b072e95af1834991f9d.tar.gz kernel-qcow2-linux-e569bdab35fd0d31cecb6b072e95af1834991f9d.tar.xz kernel-qcow2-linux-e569bdab35fd0d31cecb6b072e95af1834991f9d.zip | |
netfilter: nf_tables: fix issue with verdict support
The test on verdict was simply done on the value of the verdict
which is not correct as far as queue is concern. In fact, the test
of verdict test must be done with respect to the verdict mask for
verdicts which are not internal to nftables.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/netfilter/nf_tables_core.c')
| -rw-r--r-- | net/netfilter/nf_tables_core.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c index cb9e685caae1..e8fcc343c2b9 100644 --- a/net/netfilter/nf_tables_core.c +++ b/net/netfilter/nf_tables_core.c @@ -164,7 +164,7 @@ next_rule: break; } - switch (data[NFT_REG_VERDICT].verdict) { + switch (data[NFT_REG_VERDICT].verdict & NF_VERDICT_MASK) { case NF_ACCEPT: case NF_DROP: case NF_QUEUE: @@ -172,6 +172,9 @@ next_rule: nft_trace_packet(pkt, chain, rulenum, NFT_TRACE_RULE); return data[NFT_REG_VERDICT].verdict; + } + + switch (data[NFT_REG_VERDICT].verdict) { case NFT_JUMP: if (unlikely(pkt->skb->nf_trace)) nft_trace_packet(pkt, chain, rulenum, NFT_TRACE_RULE); |