Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > On Wed, Jul 04, 2018 at 09:13:06PM +0200, Florian Westphal wrote: > > iptables-nft never requests these, but explicitly reject this. > > > > If it were requested, kernel will oops as ->target is NULL. > > > > Signed-off-by: Florian Westphal <fw@xxxxxxxxx> > > --- > > net/netfilter/nft_compat.c | 12 ++++++++++++ > > 1 file changed, 12 insertions(+) > > > > diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c > > index 8d1ff654e5af..198cef9c2906 100644 > > --- a/net/netfilter/nft_compat.c > > +++ b/net/netfilter/nft_compat.c > > @@ -832,10 +832,16 @@ nft_target_select_ops(const struct nft_ctx *ctx, > > rev = ntohl(nla_get_be32(tb[NFTA_TARGET_REV])); > > family = ctx->family; > > > > + if (strcmp(tg_name, "ERROR") == 0) > > + return ERR_PTR(-EINVAL); > > We can just reject XT_ERROR_TARGET and XT_STANDARD_TARGET here, to > keep it simple, right? So we don't use this hardcoded "ERROR". Yes, that works too. Rejecting XT_STANDARD_TARGET might be a good idea too in case someone ever changes it to have a non-null evaluation function. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
