git.kernelconcepts.de Git - karo-tx-linux.git/commit

author	Patrick McHardy <kaber@trash.net>
	Mon, 6 Apr 2009 15:31:29 +0000 (17:31 +0200)
committer	Chris Wright <chrisw@sous-sol.org>
	Mon, 27 Apr 2009 17:36:58 +0000 (10:36 -0700)
commit	6bc1b5deb47f0fc3d697abd2fcd417618cf07e3f
tree	3b9db7780cb5f6f2fdac8bfc7b1b7c845e5cc6e4	tree \| snapshot
parent	3b3e59f78d3bf0e0818a9b759484138d4300a72e	commit \| diff

netfilter: {ip, ip6, arp}_tables: fix incorrect loop detection

upstream commit: 1f9352ae2253a97b07b34dcf16ffa3b4ca12c558

Commit e1b4b9f ([NETFILTER]: {ip,ip6,arp}_tables: fix exponential worst-case
search for loops) introduced a regression in the loop detection algorithm,
causing sporadic incorrectly detected loops.

When a chain has already been visited during the check, it is treated as
having a standard target containing a RETURN verdict directly at the
beginning in order to not check it again. The real target of the first
rule is then incorrectly treated as STANDARD target and checked not to
contain invalid verdicts.

Fix by making sure the rule does actually contain a standard target.

Based on patch by Francis Dupont <Francis_Dupont@isc.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>

net/ipv4/netfilter/arp_tables.c		diff \| blob \| history
net/ipv4/netfilter/ip_tables.c		diff \| blob \| history
net/ipv6/netfilter/ip6_tables.c		diff \| blob \| history