mirror of https://gitee.com/openkylin/linux.git
55917a21d0
Currently, we have four xtables extensions that cannot be used from the xt over nft compat layer. The problem is that they need real access to the full blown xt_entry to validate that the rule comes with the right dependencies. This check was introduced to overcome the lack of sufficient userspace dependency validation in iptables. To resolve this problem, this patch introduces a new field to the xt_tgchk_param structure that tell us if the extension is run from nft_compat context. The three affected extensions are: 1) CLUSTERIP, this target has been superseded by xt_cluster. So just bail out by returning -EINVAL. 2) TCPMSS. Relax the checking when used from nft_compat. If used with the wrong configuration, it will corrupt !syn packets by adding TCP MSS option. 3) ebt_stp. Relax the check to make sure it uses the reserved destination MAC address for STP. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Tested-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> |
||
|---|---|---|
| .. | ||
| Kconfig | ||
| Makefile | ||
| ebt_802_3.c | ||
| ebt_among.c | ||
| ebt_arp.c | ||
| ebt_arpreply.c | ||
| ebt_dnat.c | ||
| ebt_ip.c | ||
| ebt_ip6.c | ||
| ebt_limit.c | ||
| ebt_log.c | ||
| ebt_mark.c | ||
| ebt_mark_m.c | ||
| ebt_nflog.c | ||
| ebt_pkttype.c | ||
| ebt_redirect.c | ||
| ebt_snat.c | ||
| ebt_stp.c | ||
| ebt_vlan.c | ||
| ebtable_broute.c | ||
| ebtable_filter.c | ||
| ebtable_nat.c | ||
| ebtables.c | ||
| nf_log_bridge.c | ||
| nf_tables_bridge.c | ||
| nft_meta_bridge.c | ||
| nft_reject_bridge.c | ||