linux/include/net
Pablo Neira Ayuso a654de8fdc netfilter: nf_tables: fix chain dependency validation
The following ruleset:

 add table ip filter
 add chain ip filter input { type filter hook input priority 4; }
 add chain ip filter ap
 add rule ip filter input jump ap
 add rule ip filter ap masquerade

results in a panic, because the masquerade extension should be rejected
from the filter chain. The existing validation is missing a chain
dependency check when the rule is added to the non-base chain.

This patch fixes the problem by walking down the rules from the
basechains, searching for either immediate or lookup expressions, then
jumping to non-base chains and again walking down the rules to perform
the expression validation, so we make sure the full ruleset graph is
validated. This is done only once from the commit phase, in case of
problem, we abort the transaction and perform fine grain validation for
error reporting. This patch requires 003087911a ("netfilter:
nfnetlink: allow commit to fail") to achieve this behaviour.

This patch also adds a cleanup callback to nfnl batch interface to reset
the validate state from the exit path.

As a result of this patch, nf_tables_check_loops() doesn't use
->validate to check for loops, instead it just checks for immediate
expressions.

Reported-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2018-06-01 09:46:22 +02:00
..
9p 9p: Implement show_options 2017-07-11 06:08:58 -04:00
bluetooth Bluetooth: Add __hci_cmd_send function 2018-05-18 06:37:52 +02:00
caif caif: reduce stack size with KASAN 2018-01-19 14:02:12 -05:00
iucv net: annotate ->poll() instances 2017-11-27 16:20:04 -05:00
netfilter netfilter: nf_tables: fix chain dependency validation 2018-06-01 09:46:22 +02:00
netns netfilter: nf_tables: fix chain dependency validation 2018-06-01 09:46:22 +02:00
nfc NFC: Add nfc_dbg() macro 2017-04-05 10:15:20 +02:00
phonet net: phonet: mark phonet_protocol as const 2017-10-07 23:15:08 +01:00
sctp Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-05-26 19:46:15 -04:00
tc_act net/sched: act_csum: don't use spinlock in the fast path 2018-01-23 19:51:46 -05:00
6lowpan.h 6lowpan: Fix IID format for Bluetooth 2017-04-12 22:02:36 +02:00
act_api.h net/sched: remove tcf_idr_cleanup() 2018-03-23 21:52:19 -04:00
addrconf.h net/ipv6: Add helper to return path MTU based on fib result 2018-05-22 10:51:09 +02:00
af_ieee802154.h
af_rxrpc.h rxrpc, afs: Use debug_ids rather than pointers in traces 2018-03-27 23:03:00 +01:00
af_unix.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
af_vsock.h VSOCK: use TCP state constants for sk_state 2017-10-05 18:44:17 -07:00
ah.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
arp.h ipv4: Make neigh lookup keys for loopback/point-to-point devices be INADDR_ANY 2018-01-15 14:53:43 -05:00
atmclip.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
ax25.h net: Make ax25_ptr depend on CONFIG_AX25 2018-02-14 11:55:33 -05:00
ax88796.h net-next: ax88796: add interrupt status callback to platform data 2018-04-19 16:11:11 -04:00
bond_3ad.h
bond_alb.h
bond_options.h bonding: Prevent duplicate userspace notification 2017-05-27 18:51:41 -04:00
bonding.h bonding: allow use of tx hashing in balance-alb 2018-05-16 12:15:11 -04:00
busy_poll.h net: fix compilation when busy poll is not enabled 2017-08-11 14:59:24 -07:00
calipso.h net, calipso: convert calipso_doi.refcount from atomic_t to refcount_t 2017-07-04 22:35:16 +01:00
cfg80211-wext.h
cfg80211.h nl80211: Update ERP info using NL80211_CMD_UPDATE_CONNECT_PARAMS 2018-05-23 11:21:35 +02:00
cfg802154.h
checksum.h
cipso_ipv4.h net, ipv4: convert cipso_v4_doi.refcount from atomic_t to refcount_t 2017-07-04 01:29:04 -07:00
cls_cgroup.h
codel_impl.h
codel_qdisc.h
codel.h
compat.h net: remove compat_sys_*() prototypes from net/compat.h 2018-04-02 20:16:17 +02:00
datalink.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
dcbevent.h
dcbnl.h net/dcb: Add dcbnl buffer attribute 2018-05-24 14:22:59 -07:00
devlink.h devlink: introduce a helper to generate physical port names 2018-05-19 16:30:39 -04:00
dn_dev.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
dn_fib.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
dn_neigh.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
dn_nsp.h net/decnet: Convert timers to use timer_setup() 2017-10-18 12:39:36 +01:00
dn_route.h decnet: Move dn_next into decnet route structure. 2017-11-30 09:54:25 -05:00
dn.h Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-11-04 09:26:51 +09:00
dsa.h net: dsa: Plug in PHYLINK support 2018-05-11 12:03:06 -04:00
dsfield.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
dst_cache.h net: core: dst_cache_set_ip6: Rename 'addr' parameter to 'saddr' for consistency 2018-03-05 12:52:45 -05:00
dst_metadata.h Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-11-04 09:26:51 +09:00
dst_ops.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
dst.h net: core: dst: Add kernel-doc for 'net' parameter 2018-03-05 12:52:45 -05:00
erspan.h erspan: set bso bit based on mirrored packet's len 2018-05-20 18:31:42 -04:00
esp.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
ethoc.h inet: whitespace cleanup 2018-02-28 11:43:28 -05:00
fib_notifier.h net: Add extack to fib_notifier_info 2017-11-01 11:50:43 +09:00
fib_rules.h net: fib_rules: add extack support 2018-04-23 10:21:24 -04:00
firewire.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
flow_dissector.h Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-05-11 20:53:22 -04:00
flow.h net: Remove unused get_hash_from_flow functions 2018-03-04 13:04:23 -05:00
fou.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
fq_impl.h Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-10-30 21:09:24 +09:00
fq.h fq: support filtering a given tin 2017-10-11 09:49:34 +02:00
garp.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
gen_stats.h net: sched: add support for TCQ_F_NOLOCK subqueues to sch_mq 2017-12-08 13:32:26 -05:00
genetlink.h genetlink: fix genlmsg_nlhdr() 2017-11-16 10:49:00 +09:00
geneve.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
gre.h net: GRE: Add is_gretap_dev, is_ip6gretap_dev 2018-02-27 14:46:26 -05:00
gro_cells.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
gtp.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
gue.h fou: fix some member types in guehdr 2017-12-11 14:10:06 -05:00
hwbm.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
icmp.h
ieee80211_radiotap.h mac80211: support reporting A-MPDU EOF bit value/known 2018-02-22 21:13:02 +01:00
ieee802154_netdev.h
if_inet6.h net/ipv6: Remove aca_idev 2018-04-19 15:40:13 -04:00
ife.h net: sched: ife: handle malformed tlv length 2018-04-22 21:12:00 -04:00
ila.h
inet6_connection_sock.h
inet6_hashtables.h net: ipv6: add second dif to inet6 socket lookups 2017-08-07 11:39:22 -07:00
inet_common.h net: Introduce __inet_bind() and __inet6_bind 2018-03-31 02:15:43 +02:00
inet_connection_sock.h net: ipv4: remove define INET_CSK_DEBUG and unnecessary EXPORT_SYMBOL 2018-05-10 17:43:55 -04:00
inet_ecn.h Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-11-04 09:26:51 +09:00
inet_frag.h inet: frags: reorganize struct netns_frags 2018-03-31 23:25:39 -04:00
inet_hashtables.h inet: Add a 2nd listener hashtable (port+addr) 2017-12-03 10:18:28 -05:00
inet_sock.h udp: generate gso with UDP_SEGMENT 2018-04-26 15:08:04 -04:00
inet_timewait_sock.h tcp: Add mark for TIMEWAIT sockets 2018-05-10 17:44:52 -04:00
inetpeer.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
ip6_checksum.h
ip6_fib.h net/ipv6: Add helper to return path MTU based on fib result 2018-05-22 10:51:09 +02:00
ip6_route.h Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next 2018-05-24 22:20:51 -04:00
ip6_tunnel.h ip6_gre: add erspan v2 support 2017-12-15 12:34:00 -05:00
ip_fib.h net/ipv4: Add helper to return path MTU based on fib result 2018-05-22 10:51:09 +02:00
ip_tunnels.h net/ipv4: Update ip_tunnel_metadata_cnt static key to modern api 2018-05-10 15:13:33 -04:00
ip_vs.h netfilter: ipvs: Keep latest weight of destination 2018-04-09 10:10:55 +03:00
ip.h ipv4: support sport, dport and ip_proto in RTM_GETROUTE 2018-05-23 15:14:12 -04:00
ipcomp.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
ipconfig.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
ipv6.h Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 2018-05-06 21:51:37 -04:00
ipx.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
iw_handler.h net: Spelling s/stucture/structure/ 2018-03-27 09:51:23 +02:00
kcm.h
l3mdev.h
lapb.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
lib80211.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
llc_c_ac.h net: LLC: Convert timers to use timer_setup() 2017-10-25 12:06:25 +09:00
llc_c_ev.h
llc_c_st.h
llc_conn.h llc: delete timers synchronously in llc_sk_free() 2018-04-22 14:55:03 -04:00
llc_if.h
llc_pdu.h
llc_s_ac.h
llc_s_ev.h
llc_s_st.h
llc_sap.h
llc.h net, llc: convert llc_sap.refcnt from atomic_t to refcount_t 2017-07-04 22:35:15 +01:00
lwtunnel.h net: Move ipv4 set_lwt_redirect helper to lwtunnel 2018-02-14 14:43:32 -05:00
mac80211.h mac80211: Support adding duration for prepare_tx() callback 2018-05-23 11:06:10 +02:00
mac802154.h
mip6.h
mld.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mpls_iptunnel.h net: mpls: Increase max number of labels for lwt encap 2017-04-01 20:21:44 -07:00
mpls.h
mrp.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
ncsi.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
ndisc.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
neighbour.h neighbour: support for NTF_EXT_LEARNED flag 2018-04-25 13:19:59 -04:00
net_namespace.h net: Introduce net_rwsem to protect net_namespace_list 2018-03-29 13:47:53 -04:00
net_ratelimit.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
netevent.h net/ipv6: Add support for path selection using hash of 5-tuple 2018-03-04 13:04:23 -05:00
netlabel.h net: convert netlbl_lsm_cache.refcount from atomic_t to refcount_t 2017-07-01 07:39:09 -07:00
netlink.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
netprio_cgroup.h
netrom.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
nexthop.h net: fix rtnh_ok() 2018-04-07 22:32:31 -04:00
nl802154.h
nsh.h openvswitch: enable NSH support 2017-11-08 16:12:33 +09:00
p8022.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
page_pool.h xdp: introduce xdp_return_frame_rx_napi 2018-05-24 18:36:15 -07:00
ping.h
pkt_cls.h net_sched: switch to rcu_work 2018-05-24 22:56:15 -04:00
pkt_sched.h net: remove prototype of qdisc_lookup_class() 2018-01-16 14:56:54 -05:00
pptp.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
protocol.h IPv4: early demux can return an error code 2017-10-01 03:55:47 +01:00
psample.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
psnap.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
raw.h net: ipv4: add second dif to raw socket lookups 2017-08-07 11:39:21 -07:00
rawv6.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
red.h net_sched: red: Avoid illegal values 2017-12-05 14:37:13 -05:00
regulatory.h cfg80211: read wmm rules from regulatory database 2018-03-29 11:11:40 +02:00
request_sock.h tcp: socket option to set TCP fast open key 2017-10-20 13:21:36 +01:00
rose.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
route.h Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-03-23 11:31:58 -04:00
rsi_91x.h Bluetooth: btrsi: add new rsi bluetooth driver 2018-03-13 18:37:02 +02:00
rtnetlink.h rtnetlink: remove __rtnl_register 2017-12-04 11:32:53 -05:00
sch_generic.h sched: replace __QDISC_STATE_RUNNING bit with a spin lock 2018-05-17 12:46:54 -04:00
scm.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
secure_seq.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
seg6_hmac.h
seg6_local.h bpf: Add IPv6 Segment Routing helpers 2018-05-24 11:57:35 +02:00
seg6.h ipv6: sr: export function lookup_nexthop 2018-05-24 11:57:35 +02:00
slhc_vj.h slip: Check if rstate is initialized before uncompressing 2018-04-11 10:33:46 -04:00
smc.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
snmp.h
sock_reuseport.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
sock.h net/sock: Update memalloc_socks static key to modern api 2018-05-10 15:13:34 -04:00
Space.h net/mac89x0: Convert to platform_driver 2018-03-01 21:21:36 -05:00
stp.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
strparser.h strparser: Use delayed work instead of timer for msg timeout 2017-10-25 10:37:11 +09:00
switchdev.h switchdev: Add fdb.added_by_user to switchdev notifications 2018-05-03 13:46:47 -04:00
tcp_states.h tcp: remove the hardcode in the definition of TCPF Macro 2018-02-21 15:06:05 -05:00
tcp.h tcp: add SACK compression 2018-05-18 11:40:27 -04:00
timewait_sock.h
tipc.h flow_dissector: do not rely on implicit casts 2018-05-08 00:02:41 -04:00
tls.h Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-05-21 16:01:54 -04:00
transp_v6.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
tso.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
tun_proto.h vxlan: factor out VXLAN-GPE next protocol 2017-08-29 15:16:52 -07:00
udp_tunnel.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
udp.h udp: Do not pass checksum as a parameter to GSO segmentation 2018-05-08 22:30:06 -04:00
udplite.h udplite: fix partial checksum initialization 2018-02-16 15:57:42 -05:00
vsock_addr.h
vxlan.h vxlan: add ttl inherit support 2018-04-17 13:53:13 -04:00
wext.h lift handling of SIOCIW... out of dev_ioctl() 2018-01-24 19:13:45 -05:00
wimax.h
x25.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
x25device.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
xdp_sock.h xsk: clean up SPDX headers 2018-05-18 16:07:02 +02:00
xdp.h xdp: introduce xdp_return_frame_rx_napi 2018-05-24 18:36:15 -07:00
xfrm.h xfrm: Fix warning in xfrm6_tunnel_net_exit. 2018-04-16 07:50:09 +02:00