diff options
| author | Florian Westphal <fw@strlen.de> | 2023-10-11 10:59:34 +0300 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2023-10-18 11:26:43 +0300 |
| commit | e15e5027106f3f6009d2fb46b3a1bb3d9e6a1b77 (patch) | |
| tree | e448bbfa0e109251e300956f0e61a7b67be3bfb4 /net/ipv4 | |
| parent | a0a86022474304e012aad5d41943fdd31a036284 (diff) | |
| download | linux-e15e5027106f3f6009d2fb46b3a1bb3d9e6a1b77.tar.xz | |
netfilter: xt_mangle: only check verdict part of return value
These checks assume that the caller only returns NF_DROP without
any errno embedded in the upper bits.
This is fine right now, but followup patches will start to propagate
such errors to allow kfree_skb_drop_reason() in the called functions,
those would then indicate 'errno << 8 | NF_STOLEN'.
To not break things we have to mask those parts out.
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'net/ipv4')
| -rw-r--r-- | net/ipv4/netfilter/iptable_mangle.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/net/ipv4/netfilter/iptable_mangle.c b/net/ipv4/netfilter/iptable_mangle.c index 3abb430af9e6..385d945d8ebe 100644 --- a/net/ipv4/netfilter/iptable_mangle.c +++ b/net/ipv4/netfilter/iptable_mangle.c @@ -36,12 +36,12 @@ static const struct xt_table packet_mangler = { static unsigned int ipt_mangle_out(void *priv, struct sk_buff *skb, const struct nf_hook_state *state) { - unsigned int ret; + unsigned int ret, verdict; const struct iphdr *iph; - u_int8_t tos; __be32 saddr, daddr; - u_int32_t mark; + u32 mark; int err; + u8 tos; /* Save things which could affect route */ mark = skb->mark; @@ -51,8 +51,9 @@ ipt_mangle_out(void *priv, struct sk_buff *skb, const struct nf_hook_state *stat tos = iph->tos; ret = ipt_do_table(priv, skb, state); + verdict = ret & NF_VERDICT_MASK; /* Reroute for ANY change. */ - if (ret != NF_DROP && ret != NF_STOLEN) { + if (verdict != NF_DROP && verdict != NF_STOLEN) { iph = ip_hdr(skb); if (iph->saddr != saddr || |