diff options
author | Alin Năstac <alin.nastac@gmail.com> | 2015-10-22 16:41:03 +0200 |
---|---|---|
committer | Florian Westphal <fw@strlen.de> | 2015-10-28 01:52:14 +0100 |
commit | 4c3e5cd3dbae3ea773e9dcca7cf019b2713af70d (patch) | |
tree | a546ce6779c344dcc1742e4012fc3647e6d4a063 /extensions/ebt_nflog.c | |
parent | f8079671326e9fd079391d24911a9a8a77f1d6fd (diff) | |
download | ebtables-4c3e5cd3dbae3ea773e9dcca7cf019b2713af70d.tar.gz |
ebtables: Allow RETURN target rules in user defined chains
During loop checking ebtables marks entries with '1 << NF_BR_NUMHOOKS' if
they're called from a base chain rather than a user defined chain.
This can be used by ebtables targets that can encode a special return
value to bail out if e.g. RETURN is used from a base chain.
Unfortunately, this is broken, since the '1 << NF_BR_NUMHOOKS' is also
copied to called user-defined-chains (i.e., a user defined chain can no
longer be distinguished from a base chain):
root@OpenWrt:~# ebtables -N foo
root@OpenWrt:~# ebtables -A OUTPUT -j foo
root@OpenWrt:~# ebtables -A foo -j mark --mark-or 3 --mark-target RETURN
--mark-target RETURN not allowed on base chain.
This works if -A OUTPUT -j foo is omitted, but will still appear
if we try to call foo from OUTPUT afterwards.
After this patch we still reject
'-A OUTPUT -j mark .. --mark-target RETURN'.
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'extensions/ebt_nflog.c')
0 files changed, 0 insertions, 0 deletions