diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2017-12-19 15:53:45 +0300 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-01-10 17:32:04 +0300 |
| commit | fe19c04ca13737a48277fad28d912efbd72c1772 (patch) | |
| tree | 0f60983ed7648da60a5eeaad2f26e4eb33ccab98 /net/netfilter | |
| parent | 61ad64080e039dce99a7f8d89b729bbea995e2f7 (diff) | |
| download | linux-fe19c04ca13737a48277fad28d912efbd72c1772.tar.xz | |
netfilter: nf_tables: remove nhooks field from struct nft_af_info
We already validate the hook through bitmask, so this check is
superfluous. When removing this, this patch is also fixing a bug in the
new flowtable codebase, since ctx->afi points to the table family
instead of the netdev family which is where the flowtable is really
hooked in.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/netfilter')
| -rw-r--r-- | net/netfilter/nf_tables_api.c | 5 | ||||
| -rw-r--r-- | net/netfilter/nf_tables_inet.c | 1 | ||||
| -rw-r--r-- | net/netfilter/nf_tables_netdev.c | 1 |
3 files changed, 1 insertions, 6 deletions
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 336b81689ac9..93e4e67e4b4d 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -1328,9 +1328,6 @@ static int nft_chain_parse_hook(struct net *net, return -EINVAL; hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM])); - if (hook->num >= afi->nhooks) - return -EINVAL; - hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY])); type = chain_type[afi->family][NFT_CHAIN_T_DEFAULT]; @@ -4993,7 +4990,7 @@ static int nf_tables_flowtable_parse_hook(const struct nft_ctx *ctx, return -EINVAL; hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM])); - if (hooknum >= ctx->afi->nhooks) + if (hooknum != NF_NETDEV_INGRESS) return -EINVAL; priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY])); diff --git a/net/netfilter/nf_tables_inet.c b/net/netfilter/nf_tables_inet.c index 58b9be7480bb..00b1fc9cea2e 100644 --- a/net/netfilter/nf_tables_inet.c +++ b/net/netfilter/nf_tables_inet.c @@ -40,7 +40,6 @@ static unsigned int nft_do_chain_inet(void *priv, struct sk_buff *skb, static struct nft_af_info nft_af_inet __read_mostly = { .family = NFPROTO_INET, - .nhooks = NF_INET_NUMHOOKS, .owner = THIS_MODULE, }; diff --git a/net/netfilter/nf_tables_netdev.c b/net/netfilter/nf_tables_netdev.c index 42f6f6d42a6d..3da3dc7de945 100644 --- a/net/netfilter/nf_tables_netdev.c +++ b/net/netfilter/nf_tables_netdev.c @@ -40,7 +40,6 @@ nft_do_chain_netdev(void *priv, struct sk_buff *skb, static struct nft_af_info nft_af_netdev __read_mostly = { .family = NFPROTO_NETDEV, - .nhooks = NF_NETDEV_NUMHOOKS, .owner = THIS_MODULE, .flags = NFT_AF_NEEDS_DEV, }; |