aboutsummaryrefslogtreecommitdiffstats
path: root/net/ipv4/netfilter/ip_tables.c
diff options
context:
space:
mode:
authorJan Engelhardt <jengelh@medozas.de>2009-07-18 15:22:30 +0200
committerJan Engelhardt <jengelh@medozas.de>2009-08-10 13:35:31 +0200
commite2fe35c17fed62d4ab5038fa9bc489e967ff8416 (patch)
tree84a4b0b688276b6788081f441984abd01d036b4d /net/ipv4/netfilter/ip_tables.c
parent90e7d4ab5c8b0c4c2e00e4893977f6aeec0f18f1 (diff)
downloadmrst-s0i3-test-e2fe35c17fed62d4ab5038fa9bc489e967ff8416.tar.gz
mrst-s0i3-test-e2fe35c17fed62d4ab5038fa9bc489e967ff8416.tar.xz
mrst-s0i3-test-e2fe35c17fed62d4ab5038fa9bc489e967ff8416.zip
netfilter: xtables: check for standard verdicts in policies
This adds the second check that Rusty wanted to have a long time ago. :-) Base chain policies must have absolute verdicts that cease processing in the table, otherwise rule execution may continue in an unexpected spurious fashion (e.g. next chain that follows in memory). Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Diffstat (limited to 'net/ipv4/netfilter/ip_tables.c')
-rw-r--r--net/ipv4/netfilter/ip_tables.c21
1 files changed, 19 insertions, 2 deletions
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 6e546d573d9..0b43fd7ca04 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -708,6 +708,21 @@ find_check_entry(struct ipt_entry *e, const char *name, unsigned int size,
return ret;
}
+static bool check_underflow(struct ipt_entry *e)
+{
+ const struct ipt_entry_target *t;
+ unsigned int verdict;
+
+ if (!unconditional(&e->ip))
+ return false;
+ t = ipt_get_target(e);
+ if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0)
+ return false;
+ verdict = ((struct ipt_standard_target *)t)->verdict;
+ verdict = -verdict - 1;
+ return verdict == NF_DROP || verdict == NF_ACCEPT;
+}
+
static int
check_entry_size_and_hooks(struct ipt_entry *e,
struct xt_table_info *newinfo,
@@ -740,8 +755,10 @@ check_entry_size_and_hooks(struct ipt_entry *e,
if ((unsigned char *)e - base == hook_entries[h])
newinfo->hook_entry[h] = hook_entries[h];
if ((unsigned char *)e - base == underflows[h]) {
- if (!unconditional(&e->ip)) {
- pr_err("Underflows must be unconditional\n");
+ if (!check_underflow(e)) {
+ pr_err("Underflows must be unconditional and "
+ "use the STANDARD target with "
+ "ACCEPT/DROP\n");
return -EINVAL;
}
newinfo->underflow[h] = underflows[h];