sieni
/
linux
mirror of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

netfilter: nf_tables: reject immediate NF_QUEUE verdict 

nft_queue is always used from userspace nftables to deliver the NF_QUEUE
verdict. Immediately emitting an NF_QUEUE verdict is never used by the
userspace nft tools, so reject immediate NF_QUEUE verdicts.

The arp family does not provide queue support, but such an immediate
verdict is still reachable. Globally reject NF_QUEUE immediate verdicts
to address this issue.

Fixes: f342de4e2f ("netfilter: nf_tables: reject QUEUE/DROP verdict parameters")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
Pablo Neira Ayuso 2026-03-31 23:08:02 +02:00
parent 3d5d488f11
commit da107398cb
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
net/netfilter/nf_tables_api.c
View File

@ -11667,8 +11667,6 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
switch (data->verdict.code) { switch (data->verdict.code) {
case NF_ACCEPT: case NF_ACCEPT:
case NF_DROP: case NF_DROP:
case NF_QUEUE:
break;
case NFT_CONTINUE: case NFT_CONTINUE:
case NFT_BREAK: case NFT_BREAK:
case NFT_RETURN: case NFT_RETURN:
@ -11703,6 +11701,11 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
data->verdict.chain = chain; data->verdict.chain = chain;
break; break;
case NF_QUEUE:
/* The nft_queue expression is used for this purpose, an
* immediate NF_QUEUE verdict should not ever be seen here.
*/
fallthrough;
default: default:
return -EINVAL; return -EINVAL;
} }