]> git.ipfire.org Git - thirdparty/kernel/linux.git/commit
projects / thirdparty / kernel / linux.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 3d5d488) | patch
netfilter: nf_tables: reject immediate NF_QUEUE verdict
authorPablo Neira Ayuso <pablo@netfilter.org>
Tue, 31 Mar 2026 21:08:02 +0000 (23:08 +0200)
committerPablo Neira Ayuso <pablo@netfilter.org>
Wed, 1 Apr 2026 09:55:30 +0000 (11:55 +0200)
commitda107398cbd4bbdb6bffecb2ce86d5c9384f4cec
treef07cd6eb7ba50a53ce6f69ef03030150aa22b7ectree | snapshot
parent3d5d488f11776738deab9da336038add95d342d1commit | diff
netfilter: nf_tables: reject immediate NF_QUEUE verdict

nft_queue is always used from userspace nftables to deliver the NF_QUEUE
verdict. Immediately emitting an NF_QUEUE verdict is never used by the
userspace nft tools, so reject immediate NF_QUEUE verdicts.

The arp family does not provide queue support, but such an immediate
verdict is still reachable. Globally reject NF_QUEUE immediate verdicts
to address this issue.

Fixes: f342de4e2f33 ("netfilter: nf_tables: reject QUEUE/DROP verdict parameters")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
net/netfilter/nf_tables_api.c diff | blob | blame | history
A mirror of Linus' kernel repository