git.baikalelectronics.ru Git - kernel.git/commit

author	Florian Westphal <fw@strlen.de>
	Fri, 30 Mar 2018 09:39:12 +0000 (11:39 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Fri, 30 Mar 2018 10:20:32 +0000 (12:20 +0200)
commit	f0ce8f7b21b89aa810b77bc1fc3449fa39c7654b
tree	3a09869c582d612e08c626d94a0c67fd6742e11d	tree \| snapshot
parent	9bc4455861aac58053f0702701788fd46d8bdf51	commit \| diff

Revert "netfilter: x_tables: ensure last rule in base chain matches underflow/policy"

This reverts commit 845466e1bf22b6ad031671ec9d30245d7ab46b12.

Valdis Kletnieks reported that xtables is broken in linux-next since
845466e1bf22b ("netfilter: x_tables: ensure last rule in base chain
matches underflow/policy"), as kernel rejects the (well-formed) ruleset:

[ 64.402790] ip6_tables: last base chain position 1136 doesn't match underflow 1344 (hook 1)

mark_source_chains is not the correct place for such a check, as it
terminates evaluation of a chain once it sees an unconditional verdict
(following rules are known to be unreachable). It seems preferrable to
fix libiptc instead, so remove this check again.

Fixes: 845466e1bf22b ("netfilter: x_tables: ensure last rule in base chain matches underflow/policy")
Reported-by: Valdis Kletnieks <valdis.kletnieks@vt.edu>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

net/ipv4/netfilter/arp_tables.c		diff \| blob \| history
net/ipv4/netfilter/ip_tables.c		diff \| blob \| history
net/ipv6/netfilter/ip6_tables.c		diff \| blob \| history