netfilter: nf_queue: fix reinject verdict handling [Linux 4.14.129]

netfilter: nf_queue: fix reinject verdict handling [Linux 4.14.129]

This Linux kernel change "netfilter: nf_queue: fix reinject verdict handling" is included in the Linux 4.14.129 release. This change is authored by Jagdish Motwani <jagdish.motwani [at] sophos.com> on Mon May 13 23:47:40 2019 +0530. The commit for this change in Linux stable tree is 20e4ded (patch) which is from upstream commit 946c0d8. The same Linux upstream change may have been applied to various maintained Linux releases and you can find all Linux releases containing changes from upstream 946c0d8.

netfilter: nf_queue: fix reinject verdict handling

[ Upstream commit 946c0d8e6ed43dae6527e878d0077c1e11015db0 ]

This patch fixes netfilter hook traversal when there are more than 1 hooks
returning NF_QUEUE verdict. When the first queue reinjects the packet,
'nf_reinject' starts traversing hooks with a proper hook_index. However,
if it again receives a NF_QUEUE verdict (by some other netfilter hook), it
queues the packet with a wrong hook_index. So, when the second queue
reinjects the packet, it re-executes hooks in between.

Fixes: 960632ece694 ("netfilter: convert hook list to an array")
Signed-off-by: Jagdish Motwani <[email protected]>
Signed-off-by: Pablo Neira Ayuso <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>

There is one line of Linux source code added/deleted in this change. Code changes to Linux kernel are as follows.

 net/netfilter/nf_queue.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c
index f7e2195..8260b1e7 100644
--- a/net/netfilter/nf_queue.c
+++ b/net/netfilter/nf_queue.c
@@ -193,6 +193,7 @@ static unsigned int nf_iterate(struct sk_buff *skb,
 repeat:
        verdict = nf_hook_entry_hookfn(hook, skb, state);
        if (verdict != NF_ACCEPT) {
+           *index = i;
            if (verdict != NF_REPEAT)
                return verdict;
            goto repeat;

Leave a Reply

Your email address will not be published. Required fields are marked *