git.baikalelectronics.ru Git - kernel.git/commit

author	Dmitry Mishin <dim@openvz.org>
	Tue, 5 Dec 2006 21:43:50 +0000 (13:43 -0800)
committer	David S. Miller <davem@sunset.davemloft.net>
	Thu, 7 Dec 2006 02:39:02 +0000 (18:39 -0800)
commit	0894cc00b8ccbade5aca9f02f3898d0e657327c4
tree	fa3c59bcd8121b469013b49963fb561f0fa30903	tree \| snapshot
parent	acf6990daae644b05b751a7e8ce77acfc9a15ad1	commit \| diff

[NETFILTER]: Fix {ip,ip6,arp}_tables hook validation

Commit 36c1e209253341991a80a18b52b07a00867be689 introduced a regression
in match/target hook validation. mark_source_chains builds a bitmask
for each rule representing the hooks it can be reached from, which is
then used by the matches and targets to make sure they are only called
from valid hooks. The patch moved the match/target specific validation
before the mark_source_chains call, at which point the mask is always zero.

This patch returns back to the old order and moves the standard checks
to mark_source_chains. This allows to get rid of a special case for
standard targets as a nice side-effect.

Signed-off-by: Dmitry Mishin <dim@openvz.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

net/ipv4/netfilter/arp_tables.c		diff \| blob \| history
net/ipv4/netfilter/ip_tables.c		diff \| blob \| history
net/ipv6/netfilter/ip6_tables.c		diff \| blob \| history