If a requested extension exists as module and is not loaded, ebt_check_match() might accidentally use an NFPROTO_UNSPEC one with same name and fail. Reproduced with limit match: Given xt_limit and ebt_limit both built as module, the following would fail: modprobe xt_limit ebtables -I INPUT --limit 1/s -j ACCEPT The fix is to make ebt_check_match() distrust a found NFPROTO_UNSPEC extension and retry after requesting an appropriate module. Cc: Florian Westphal <fw@strlen.de> Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
||
---|---|---|
.. | ||
ebt_802_3.c | ||
ebt_among.c | ||
ebt_arp.c | ||
ebt_arpreply.c | ||
ebt_dnat.c | ||
ebt_ip6.c | ||
ebt_ip.c | ||
ebt_limit.c | ||
ebt_log.c | ||
ebt_mark_m.c | ||
ebt_mark.c | ||
ebt_nflog.c | ||
ebt_pkttype.c | ||
ebt_redirect.c | ||
ebt_snat.c | ||
ebt_stp.c | ||
ebt_vlan.c | ||
ebtable_broute.c | ||
ebtable_filter.c | ||
ebtable_nat.c | ||
ebtables.c | ||
Kconfig | ||
Makefile | ||
nf_log_bridge.c | ||
nf_tables_bridge.c | ||
nft_meta_bridge.c | ||
nft_reject_bridge.c |