This reverts commit
0d7df906a0e78079a02108b06d32c3ef2238ad25.
Valdis Kletnieks reported that xtables is broken in linux-next since
0d7df906a0e78 ("netfilter: x_tables: ensure last rule in base chain
matches underflow/policy"), as kernel rejects the (well-formed) ruleset:
[ 64.402790] ip6_tables: last base chain position 1136 doesn't match underflow 1344 (hook 1)
mark_source_chains is not the correct place for such a check, as it
terminates evaluation of a chain once it sees an unconditional verdict
(following rules are known to be unreachable). It seems preferrable to
fix libiptc instead, so remove this check again.
Fixes:
0d7df906a0e78 ("netfilter: x_tables: ensure last rule in base chain matches underflow/policy")
Reported-by: Valdis Kletnieks <valdis.kletnieks@vt.edu>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
for (hook = 0; hook < NF_ARP_NUMHOOKS; hook++) {
unsigned int pos = newinfo->hook_entry[hook];
struct arpt_entry *e = entry0 + pos;
- unsigned int last_pos, depth;
if (!(valid_hooks & (1 << hook)))
continue;
- depth = 0;
- last_pos = pos;
/* Set initial back pointer. */
e->counters.pcnt = pos;
pos = e->counters.pcnt;
e->counters.pcnt = 0;
- if (depth)
- --depth;
/* We're at the start. */
if (pos == oldpos)
goto next;
if (!xt_find_jump_offset(offsets, newpos,
newinfo->number))
return 0;
-
- if (entry0 + newpos != arpt_next_entry(e))
- ++depth;
} else {
/* ... this is a fallthru */
newpos = pos + e->next_offset;
e->counters.pcnt = pos;
pos = newpos;
}
- if (depth == 0)
- last_pos = pos;
- }
-next:
- if (last_pos != newinfo->underflow[hook]) {
- pr_err_ratelimited("last base chain position %u doesn't match underflow %u (hook %u)\n",
- last_pos, newinfo->underflow[hook], hook);
- return 0;
}
+next: ;
}
return 1;
}
for (hook = 0; hook < NF_INET_NUMHOOKS; hook++) {
unsigned int pos = newinfo->hook_entry[hook];
struct ipt_entry *e = entry0 + pos;
- unsigned int last_pos, depth;
if (!(valid_hooks & (1 << hook)))
continue;
- depth = 0;
- last_pos = pos;
/* Set initial back pointer. */
e->counters.pcnt = pos;
pos = e->counters.pcnt;
e->counters.pcnt = 0;
- if (depth)
- --depth;
/* We're at the start. */
if (pos == oldpos)
goto next;
if (!xt_find_jump_offset(offsets, newpos,
newinfo->number))
return 0;
-
- if (entry0 + newpos != ipt_next_entry(e))
- ++depth;
} else {
/* ... this is a fallthru */
newpos = pos + e->next_offset;
e->counters.pcnt = pos;
pos = newpos;
}
- if (depth == 0)
- last_pos = pos;
- }
-next:
- if (last_pos != newinfo->underflow[hook]) {
- pr_err_ratelimited("last base chain position %u doesn't match underflow %u (hook %u)\n",
- last_pos, newinfo->underflow[hook], hook);
- return 0;
}
+next: ;
}
return 1;
}
for (hook = 0; hook < NF_INET_NUMHOOKS; hook++) {
unsigned int pos = newinfo->hook_entry[hook];
struct ip6t_entry *e = entry0 + pos;
- unsigned int last_pos, depth;
if (!(valid_hooks & (1 << hook)))
continue;
- depth = 0;
- last_pos = pos;
/* Set initial back pointer. */
e->counters.pcnt = pos;
pos = e->counters.pcnt;
e->counters.pcnt = 0;
- if (depth)
- --depth;
/* We're at the start. */
if (pos == oldpos)
goto next;
if (!xt_find_jump_offset(offsets, newpos,
newinfo->number))
return 0;
-
- if (entry0 + newpos != ip6t_next_entry(e))
- ++depth;
} else {
/* ... this is a fallthru */
newpos = pos + e->next_offset;
e->counters.pcnt = pos;
pos = newpos;
}
- if (depth == 0)
- last_pos = pos;
- }
-next:
- if (last_pos != newinfo->underflow[hook]) {
- pr_err_ratelimited("last base chain position %u doesn't match underflow %u (hook %u)\n",
- last_pos, newinfo->underflow[hook], hook);
- return 0;
}
+next: ;
}
return 1;
}
projects / linux.git / commitdiff