tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

netfilter: nf_tables: mask out non-verdict bits when checking return value

nftables trace infra must mask out the non-verdict bit parts of the
return value, else followup changes that 'return errno << 8 | NF_STOLEN'
will cause breakage.

Signed-off-by: Florian Westphal <fw@strlen.de>

Florian Westphal 4d26ab00 e15e5027

+7 -3
+1 -1
net/netfilter/nf_tables_core.c
··· 115 115 { 116 116 enum nft_trace_types type; 117 117 118 - switch (regs->verdict.code) { 118 + switch (regs->verdict.code & NF_VERDICT_MASK) { 119 119 case NFT_CONTINUE: 120 120 case NFT_RETURN: 121 121 type = NFT_TRACETYPE_RETURN;
+6 -2
net/netfilter/nf_tables_trace.c
··· 258 258 case __NFT_TRACETYPE_MAX: 259 259 break; 260 260 case NFT_TRACETYPE_RETURN: 261 - case NFT_TRACETYPE_RULE: 261 + case NFT_TRACETYPE_RULE: { 262 + unsigned int v; 263 + 262 264 if (nft_verdict_dump(skb, NFTA_TRACE_VERDICT, verdict)) 263 265 goto nla_put_failure; 264 266 265 267 /* pkt->skb undefined iff NF_STOLEN, disable dump */ 266 - if (verdict->code == NF_STOLEN) 268 + v = verdict->code & NF_VERDICT_MASK; 269 + if (v == NF_STOLEN) 267 270 info->packet_dumped = true; 268 271 else 269 272 mark = pkt->skb->mark; 270 273 271 274 break; 275 + } 272 276 case NFT_TRACETYPE_POLICY: 273 277 mark = pkt->skb->mark; 274 278