git.kernelconcepts.de Git - karo-tx-linux.git/commit

author	Dmitry Mishin <dim@openvz.org>
	Mon, 4 Dec 2006 11:22:07 +0000 (12:22 +0100)
committer	Chris Wright <chrisw@sous-sol.org>
	Mon, 11 Dec 2006 19:32:38 +0000 (11:32 -0800)
commit	9d62d3f1f0eb730d9308aa4fa427a0e682d22b5f
tree	4f777f422280d4f73ba733983ec4fc0e4fc880f3	tree \| snapshot
parent	c856e3d57e3fdb74237ddfb8356e1cabee94c155	commit \| diff

[PATCH] NETFILTER: Fix {ip, ip6, arp}_tables hook validation

Commit 590bdf7fd2292b47c428111cb1360e312eff207e introduced a regression
in match/target hook validation. mark_source_chains builds a bitmask
for each rule representing the hooks it can be reached from, which is
then used by the matches and targets to make sure they are only called
from valid hooks. The patch moved the match/target specific validation
before the mark_source_chains call, at which point the mask is always zero.

This patch returns back to the old order and moves the standard checks
to mark_source_chains. This allows to get rid of a special case for
standard targets as a nice side-effect.

Signed-off-by: Dmitry Mishin <dim@openvz.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>

net/ipv4/netfilter/arp_tables.c		diff \| blob \| history
net/ipv4/netfilter/ip_tables.c		diff \| blob \| history
net/ipv6/netfilter/ip6_tables.c		diff \| blob \| history