diff options
Diffstat (limited to 'net/netfilter')
| -rw-r--r-- | net/netfilter/core.c | 6 | ||||
| -rw-r--r-- | net/netfilter/nf_tables_api.c | 2 |
2 files changed, 8 insertions, 0 deletions
diff --git a/net/netfilter/core.c b/net/netfilter/core.c index ed8618f4efd7..3508a5c8edbb 100644 --- a/net/netfilter/core.c +++ b/net/netfilter/core.c @@ -160,6 +160,12 @@ nf_hook_entries_grow(const struct nf_hook_entries *old, ++i; continue; } + + if (reg->nat_hook && orig_ops[i]->nat_hook) { + kvfree(new); + return ERR_PTR(-EEXIST); + } + if (inserted || reg->priority > orig_ops[i]->priority) { new_ops[nhooks] = (void *)orig_ops[i]; new->hooks[nhooks] = old->hooks[i]; diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 10798b357481..838eb581b5ab 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -1400,6 +1400,8 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask, ops->hook = hookfn; if (afi->hook_ops_init) afi->hook_ops_init(ops, i); + if (basechain->type->type == NFT_CHAIN_T_NAT) + ops->nat_hook = true; } chain->flags |= NFT_BASE_CHAIN; |