]> err.no Git - linux-2.6/commitdiff
[NETFILTER]: nf_queue: handle NF_STOP and unknown verdicts in nf_reinject
authorPatrick McHardy <kaber@trash.net>
Tue, 25 Jul 2006 05:52:47 +0000 (22:52 -0700)
committerDavid S. Miller <davem@davemloft.net>
Tue, 25 Jul 2006 05:52:47 +0000 (22:52 -0700)
In case of an unknown verdict or NF_STOP the packet leaks. Unknown verdicts
can happen when userspace is buggy. Reinject the packet in case of NF_STOP,
drop on unknown verdicts.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/netfilter/nf_queue.c

index bb6fcee452ca37f8a683d89a4c63775ea250b004..662a869593bff6ea852180428b8ac0dbf8af1692 100644 (file)
@@ -219,21 +219,20 @@ void nf_reinject(struct sk_buff *skb, struct nf_info *info,
 
        switch (verdict & NF_VERDICT_MASK) {
        case NF_ACCEPT:
+       case NF_STOP:
                info->okfn(skb);
+       case NF_STOLEN:
                break;
-
        case NF_QUEUE:
                if (!nf_queue(&skb, elem, info->pf, info->hook, 
                              info->indev, info->outdev, info->okfn,
                              verdict >> NF_VERDICT_BITS))
                        goto next_hook;
                break;
+       default:
+               kfree_skb(skb);
        }
        rcu_read_unlock();
-
-       if (verdict == NF_DROP)
-               kfree_skb(skb);
-
        kfree(info);
        return;
 }