netfilter: xt_policy: fix strict mode inbound policy matching - kernel/linux.git

diff options

author	Jiexun Wang <wangjiexun2025@gmail.com>	2026-04-17 15:25:06 +0300
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2026-04-24 21:04:56 +0300
commit	4b2b4d7d4e203c92db8966b163edfacb1f0e1e29 (patch)
tree	ee34797f97fcfa35568d2492922517872cdc92b6 /include/linux
parent	10f79dbd7719d1da9f5884d13060322d8729f091 (diff)
download	linux-4b2b4d7d4e203c92db8966b163edfacb1f0e1e29.tar.xz

netfilter: xt_policy: fix strict mode inbound policy matching

match_policy_in() walks sec_path entries from the last transform to the first one, but strict policy matching needs to consume info->pol[] in the same forward order as the rule layout. Derive the strict-match policy position from the number of transforms already consumed so that multi-element inbound rules are matched consistently. Fixes: c4b885139203 ("[NETFILTER]: x_tables: replace IPv4/IPv6 policy match by address family independant version") Reported-by: Yuan Tan <yuantan098@gmail.com> Reported-by: Yifan Wu <yifanwucs@gmail.com> Reported-by: Juefei Pu <tomapufckgml@gmail.com> Reported-by: Xin Liu <bird@lzu.edu.cn> Signed-off-by: Jiexun Wang <wangjiexun2025@gmail.com> Signed-off-by: Ren Wei <n05ec@lzu.edu.cn> Acked-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Diffstat (limited to 'include/linux')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: