Pandora Sourcecodes - pandora-kernel.git/commit

author	Pablo Neira Ayuso <pablo@netfilter.org>
	Mon, 13 Oct 2014 17:50:22 +0000 (19:50 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Mon, 13 Oct 2014 18:42:00 +0000 (20:42 +0200)
commit	7210e4e38f945dfa173c4a4e59ad827c9ecad541
tree	f86826588257abd66235761163e113bfdd82594f	tree \| snapshot
parent	ab2d7251d666995740da17b2a51ca545ac5dd037	commit \| diff

netfilter: nf_tables: restrict nat/masq expressions to nat chain type

This adds the missing validation code to avoid the use of nat/masq from
non-nat chains. The validation assumes two possible configuration
scenarios:

1) Use of nat from base chain that is not of nat type. Reject this
   configuration from the nft_*_init() path of the expression.

2) Use of nat from non-base chain. In this case, we have to wait until
   the non-base chain is referenced by at least one base chain via
   jump/goto. This is resolved from the nft_*_validate() path which is
   called from nf_tables_check_loops().

The user gets an -EOPNOTSUPP in both cases.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

include/net/netfilter/nf_tables.h		diff \| blob \| history
include/net/netfilter/nft_masq.h		diff \| blob \| history
net/ipv4/netfilter/nft_masq_ipv4.c		diff \| blob \| history
net/ipv6/netfilter/nft_masq_ipv6.c		diff \| blob \| history
net/netfilter/nf_tables_api.c		diff \| blob \| history
net/netfilter/nft_masq.c		diff \| blob \| history
net/netfilter/nft_nat.c		diff \| blob \| history