| Message ID | 20231018085118.10829-5-fw@strlen.de (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 35c038b0a4be197679deefaf96998241cb7efc88 |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | [net-next,1/7] netfilter: xt_mangle: only check verdict part of return value | expand |
| Context | Check | Description |
|---|---|---|
| netdev/tree_selection | success | Clearly marked for net-next |
| netdev/apply | success | Patch already applied to net-next |
diff --git a/net/netfilter/nf_nat_proto.c b/net/netfilter/nf_nat_proto.c index 5a049740758f..6d969468c779 100644 --- a/net/netfilter/nf_nat_proto.c +++ b/net/netfilter/nf_nat_proto.c @@ -999,11 +999,12 @@ static unsigned int nf_nat_ipv6_in(void *priv, struct sk_buff *skb, const struct nf_hook_state *state) { - unsigned int ret; + unsigned int ret, verdict; struct in6_addr daddr = ipv6_hdr(skb)->daddr; ret = nf_nat_ipv6_fn(priv, skb, state); - if (ret != NF_DROP && ret != NF_STOLEN && + verdict = ret & NF_VERDICT_MASK; + if (verdict != NF_DROP && verdict != NF_STOLEN && ipv6_addr_cmp(&daddr, &ipv6_hdr(skb)->daddr)) skb_dst_drop(skb);
Same as previous change: we need to mask out the non-verdict bits, as upcoming patches may embed an errno value in NF_STOLEN verdicts too. NF_DROP could already do this, but not all called functions do this. Checks that only test ret vs NF_ACCEPT are fine, the 'errno parts' are always 0 for those. Signed-off-by: Florian Westphal <fw@strlen.de> --- net/netfilter/nf_nat_proto.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)