netfilter: nft_compat: relax chain type validation (c918687f) · Commits · 戴 / test

net/netfilter/nft_compat.c

+2 −30

Original line number	Diff line number	Diff line
		@@ -21,45 +21,17 @@
		#include <linux/netfilter_ipv6/ip6_tables.h>
		#include <net/netfilter/nf_tables.h>

		static const struct {
		const char *name;
		u8 type;
		} table_to_chaintype[] = {
		{ "filter", NFT_CHAIN_T_DEFAULT },
		{ "raw", NFT_CHAIN_T_DEFAULT },
		{ "security", NFT_CHAIN_T_DEFAULT },
		{ "mangle", NFT_CHAIN_T_ROUTE },
		{ "nat", NFT_CHAIN_T_NAT },
		{ },
		};

		static int nft_compat_table_to_chaintype(const char *table)
		{
		int i;

		for (i = 0; table_to_chaintype[i].name != NULL; i++) {
		if (strcmp(table_to_chaintype[i].name, table) == 0)
		return table_to_chaintype[i].type;
		}

		return -1;
		}

		static int nft_compat_chain_validate_dependency(const char *tablename,
		const struct nft_chain *chain)
		{
		enum nft_chain_type type;
		const struct nft_base_chain *basechain;

		if (!tablename \|\| !(chain->flags & NFT_BASE_CHAIN))
		return 0;

		type = nft_compat_table_to_chaintype(tablename);
		if (type < 0)
		return -EINVAL;

		basechain = nft_base_chain(chain);
		if (basechain->type->type != type)
		if (strcmp(tablename, "nat") == 0 &&
		basechain->type->type != NFT_CHAIN_T_NAT)
		return -EINVAL;

		return 0;