On Tue, Jun 14, 2016 at 05:38:51PM +0200, Pablo Neira Ayuso wrote:
> From e067bde1535ca78d9c8fea9f49f86c0731274732 Mon Sep 17 00:00:00 2001
> From: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> Date: Sat, 11 Jun 2016 12:20:27 +0800
> Subject: [PATCH] netfilter: nf_tables: reject loops from set element jump to
> chain
>
> Liping Zhang says:
>
> "Users may add such a wrong nft rules successfully, which will cause an
> endless jump loop:
>
> # nft add rule filter test tcp dport vmap {1: jump test}
>
> This is because before we commit, the element in the current anonymous
> set is inactive, so osp->walk will skip this element and miss the
> validate check."
>
> To resolve this problem, this patch passes the generation mask to the
> walk function through the iter container structure depending on the code
> path:
>
> 1) If we're dumping the elements, then we have to check if the element
> is active in the current generation. Thus, we check for the current
> bit in the genmask.
>
> 2) If we're checking for loops, then we have to check if the element is
> active in the next generation, as we're in the middle of a
> transaction. Thus, we check for the next bit in the genmask.
>
> Based on original patch from Liping Zhang.
>
> Reported-by: Liping Zhang <liping.zhang@xxxxxxxxxxxxxx>
> Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> Tested-by: Liping Zhang <liping.zhang@xxxxxxxxxxxxxx>
> ---
> v2: Simplify previous patch through using ctx->net instead of set_pnet().
I have applied this to nf.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
