This reverts
commit 84ba7dd71add ("netfilter: nf_tables: reject nat hook registration if prio is before conntrack")
As of commit 9971a514ed2697e ("netfilter: nf_nat: add nat type hooks to nat core")
NAT hooks are always called from a fixed chain priority. The priority is
only used to order a nat chain wrt. other nat base chains, not arbitrary
hook functions. Even INT_MIN will not call the nat hook before conntrack
anymore.
Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
net/netfilter/nf_tables_api.c | 4 ----
1 file changed, 4 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index fd814e514f94..6e2a75223882 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1831,10 +1831,6 @@ static int nft_chain_parse_hook(struct net *net,
if (hook->num > NF_MAX_HOOKS || !(type->hook_mask & (1 << hook->num)))
return -EOPNOTSUPP;
- if (type->type == NFT_CHAIN_T_NAT &&
- hook->priority <= NF_IP_PRI_CONNTRACK)
- return -EOPNOTSUPP;
-
if (!try_module_get(type->owner))
return -ENOENT;
--
2.26.2
