From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 13 Oct 2014 17:50:22 +0000 (+0200)
Subject: netfilter: nf_tables: restrict nat/masq expressions to nat chain type
X-Git-Tag: omap-for-v3.19/fixes-not-urgent-part1~25^2~58^2~5
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7210e4e38f945dfa173c4a4e59ad827c9ecad541;p=pandora-kernel.git

netfilter: nf_tables: restrict nat/masq expressions to nat chain type

This adds the missing validation code to avoid the use of nat/masq from
non-nat chains. The validation assumes two possible configuration
scenarios:

1) Use of nat from base chain that is not of nat type. Reject this
   configuration from the nft_*_init() path of the expression.

2) Use of nat from non-base chain. In this case, we have to wait until
   the non-base chain is referenced by at least one base chain via
   jump/goto. This is resolved from the nft_*_validate() path which is
   called from nf_tables_check_loops().

The user gets an -EOPNOTSUPP in both cases.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

Reading git-diff-tree failed