On Wed, Jul 04, 2018 at 09:13:06PM +0200, Florian Westphal wrote: > iptables-nft never requests these, but explicitly reject this. > > If it were requested, kernel will oops as ->target is NULL. > > Signed-off-by: Florian Westphal <fw@xxxxxxxxx> > --- > net/netfilter/nft_compat.c | 12 ++++++++++++ > 1 file changed, 12 insertions(+) > > diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c > index 8d1ff654e5af..198cef9c2906 100644 > --- a/net/netfilter/nft_compat.c > +++ b/net/netfilter/nft_compat.c > @@ -832,10 +832,16 @@ nft_target_select_ops(const struct nft_ctx *ctx, > rev = ntohl(nla_get_be32(tb[NFTA_TARGET_REV])); > family = ctx->family; > > + if (strcmp(tg_name, "ERROR") == 0) > + return ERR_PTR(-EINVAL); We can just reject XT_ERROR_TARGET and XT_STANDARD_TARGET here, to keep it simple, right? So we don't use this hardcoded "ERROR". I can just mangle this patch, no need to resend. Thanks! -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
