From: Steve Hill <steve@xxxxxxxxxxxx>
nft_immediate_validate() and nft_lookup_validate_setelem() treat NFT_GOTO and
NFT_JUMP identically, incrementing pctx->level for both. This results in a
-EMLINK ("Too many links") being unexpectedly returned for rulesets that use
lots of gotos.
This fixes this problem by not incrementing pctx->level when following gotos.
[ pablo@xxxxxxxxxxxxx: Rebased. Restore pctx->level on error for clarity ]
Fixes: 26b2f552525c ("netfilter: nf_tables: fix jumpstack depth validation")
Signed-off-by: Steve Hill <steve@xxxxxxxxxxxx>
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
net/netfilter/nft_immediate.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/net/netfilter/nft_immediate.c b/net/netfilter/nft_immediate.c
index c63eb3b17178..303c19e94a11 100644
--- a/net/netfilter/nft_immediate.c
+++ b/net/netfilter/nft_immediate.c
@@ -158,21 +158,21 @@ static int nft_immediate_validate(const struct nft_ctx *ctx,
return 0;
data = &priv->data;
-
+ err = 0;
switch (data->verdict.code) {
case NFT_JUMP:
- case NFT_GOTO:
pctx->level++;
err = nft_chain_validate(ctx, data->verdict.chain);
- if (err < 0)
- return err;
pctx->level--;
break;
+ case NFT_GOTO:
+ err = nft_chain_validate(ctx, data->verdict.chain);
+ break;
default:
break;
}
- return 0;
+ return err;
}
static int nft_immediate_offload_verdict(struct nft_offload_ctx *ctx,
--
2.20.1
