On Wed, Jun 06, 2018 at 12:14:56PM +0200, Florian Westphal wrote: > the ebtables evaluation loop expects targets to return > positive values (jumps), or negative values (absolute verdicts). > > This is completely different from what xtables does. > In xtables, targets are expected to return the standard netfilter > verdicts, i.e. NF_DROP, NF_ACCEPT, etc. > > ebtables will consider these as jumps. > > Therefore reject any target found due to unspec fallback. > v2: also reject watchers. ebtables ignores their return value, so > a taret that assumes skb ownership (and returns NF_STOLEN) causes > use-after-free. > > The only watchers in the 'ebtables' front-end are log and nflog; > both have AF_BRIDGE specific wrappers on kernel side. Applied, thanks Florian. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
