queue-4.19/netfilter-nf_queue-fix-reinject-verdict-handling.patch

   1 From 8974d5d6481d0b34ab9354d637199ede78654a9b Mon Sep 17 00:00:00 2001
   2 From: Jagdish Motwani <jagdish.motwani@sophos.com>
   3 Date: Mon, 13 May 2019 23:47:40 +0530
   4 Subject: netfilter: nf_queue: fix reinject verdict handling
   5
   6 [ Upstream commit 946c0d8e6ed43dae6527e878d0077c1e11015db0 ]
   7
   8 This patch fixes netfilter hook traversal when there are more than 1 hooks
   9 returning NF_QUEUE verdict. When the first queue reinjects the packet,
  10 'nf_reinject' starts traversing hooks with a proper hook_index. However,
  11 if it again receives a NF_QUEUE verdict (by some other netfilter hook), it
  12 queues the packet with a wrong hook_index. So, when the second queue
  13 reinjects the packet, it re-executes hooks in between.
  14
  15 Fixes: 960632ece694 ("netfilter: convert hook list to an array")
  16 Signed-off-by: Jagdish Motwani <jagdish.motwani@sophos.com>
  17 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  18 Signed-off-by: Sasha Levin <sashal@kernel.org>
  19 ---
  20  net/netfilter/nf_queue.c | 1 +
  21  1 file changed, 1 insertion(+)
  22
  23 diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c
  24 index d67a96a25a68..7569ba00e732 100644
  25 --- a/net/netfilter/nf_queue.c
  26 +++ b/net/netfilter/nf_queue.c
  27 @@ -238,6 +238,7 @@ static unsigned int nf_iterate(struct sk_buff *skb,
  28  repeat:
  29                 verdict = nf_hook_entry_hookfn(hook, skb, state);
  30                 if (verdict != NF_ACCEPT) {
  31 +                       *index = i;
  32                         if (verdict != NF_REPEAT)
  33                                 return verdict;
  34                         goto repeat;
  35 --
  36 2.20.1
  37