leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
960fa72f67
linux/net/bridge/netfilter
History
Liping Zhang 960fa72f67 netfilter: nft_meta: improve the validity check of pkttype set expr 
"meta pkttype set" is only supported on prerouting chain with bridge
family and ingress chain with netdev family.

But the validate check is incomplete, and the user can add the nft
rules on input chain with bridge family, for example:
  # nft add table bridge filter
  # nft add chain bridge filter input {type filter hook input \
    priority 0 \;}
  # nft add chain bridge filter test
  # nft add rule bridge filter test meta pkttype set unicast
  # nft add rule bridge filter input jump test

This patch fixes the problem.

Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2016-08-25 13:12:03 +02:00
..
ebt_802_3.c netfilter: Convert FWINV<[foo]> macros and uses to NF_INVF 2016-07-03 10:55:07 +02:00
ebt_among.c bridge: netfilter: Use ether_addr_copy 2014-02-24 19:16:44 -05:00
ebt_arp.c netfilter: Convert FWINV<[foo]> macros and uses to NF_INVF 2016-07-03 10:55:07 +02:00
ebt_arpreply.c netfilter: xtables: substitute temporary defines by final name 2010-05-11 18:31:17 +02:00
ebt_dnat.c bridge: netfilter: Use ether_addr_copy 2014-02-24 19:16:44 -05:00
ebt_ip6.c netfilter: Convert FWINV<[foo]> macros and uses to NF_INVF 2016-07-03 10:55:07 +02:00
ebt_ip.c netfilter: Convert FWINV<[foo]> macros and uses to NF_INVF 2016-07-03 10:55:07 +02:00
ebt_limit.c netfilter: xtables: deconstify struct xt_action_param for matches 2010-05-11 18:33:37 +02:00
ebt_log.c netfilter-bridge: brace placement 2015-11-23 17:54:40 +01:00
ebt_mark_m.c netfilter: xtables: deconstify struct xt_action_param for matches 2010-05-11 18:33:37 +02:00
ebt_mark.c netfilter: xtables: substitute temporary defines by final name 2010-05-11 18:31:17 +02:00
ebt_nflog.c netfilter: x_tables: Use par->net instead of computing from the passed net devices 2015-09-18 21:58:25 +02:00
ebt_pkttype.c netfilter: xtables: deconstify struct xt_action_param for matches 2010-05-11 18:33:37 +02:00
ebt_redirect.c bridge: netfilter: Use ether_addr_copy 2014-02-24 19:16:44 -05:00
ebt_snat.c bridge: netfilter: Use ether_addr_copy 2014-02-24 19:16:44 -05:00
ebt_stp.c netfilter: Convert FWINV<[foo]> macros and uses to NF_INVF 2016-07-03 10:55:07 +02:00
ebt_vlan.c netfilter-bridge: use netdev style comments 2015-11-23 17:54:39 +01:00
ebtable_broute.c netfilter: ebtables: Simplify the arguments to ebt_do_table 2015-09-18 21:57:35 +02:00
ebtable_filter.c netfilter-bridge: Cleanse indentation 2015-11-23 17:54:39 +01:00
ebtable_nat.c netfilter-bridge: Cleanse indentation 2015-11-23 17:54:39 +01:00
ebtables.c netfilter: Convert FWINV<[foo]> macros and uses to NF_INVF 2016-07-03 10:55:07 +02:00
Kconfig netfilter: bridge: add reject support 2014-07-22 12:00:22 +02:00
Makefile netfilter: kill remnants of ulog targets 2014-07-25 14:55:44 +02:00
nf_log_bridge.c netfilter: bridge: add generic packet logger 2014-06-27 13:20:47 +02:00
nf_tables_bridge.c netfilter: bridge: add nf_afinfo to enable queuing to userspace 2016-03-29 13:24:37 +02:00
nft_meta_bridge.c netfilter: nft_meta: improve the validity check of pkttype set expr 2016-08-25 13:12:03 +02:00
nft_reject_bridge.c net: bridge: remove _deliver functions and consolidate forward code 2016-07-16 19:57:38 -07:00