[nf] netfilter: nftables: permit any priority for nat hooks

Message ID	20200814130743.29024-1-fw@strlen.de
State	Not Applicable
Delegated to:	Pablo Neira
Headers	show Return-Path: <netfilter-devel-owner@vger.kernel.org> From: Florian Westphal <fw@strlen.de> To: <netfilter-devel@vger.kernel.org> Cc: Florian Westphal <fw@strlen.de> Subject: [PATCH nf] netfilter: nftables: permit any priority for nat hooks Date: Fri, 14 Aug 2020 15:07:43 +0200 Message-Id: <20200814130743.29024-1-fw@strlen.de> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk
Series	[nf] netfilter: nftables: permit any priority for nat hooks \| expand [nf] netfilter: nftables: permit any priority for nat hooks

Message ID

20200814130743.29024-1-fw@strlen.de

State

Not Applicable

Delegated to:

Pablo Neira

Headers

From: Florian Westphal <fw@strlen.de>
To: <netfilter-devel@vger.kernel.org>
Cc: Florian Westphal <fw@strlen.de>
Subject: [PATCH nf] netfilter: nftables: permit any priority for nat hooks
Date: Fri, 14 Aug 2020 15:07:43 +0200
Message-Id: <20200814130743.29024-1-fw@strlen.de>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk

Series

[nf] netfilter: nftables: permit any priority for nat hooks | expand

Commit Message

Florian Westphal Aug. 14, 2020, 1:07 p.m. UTC

This reverts
commit 84ba7dd71add ("netfilter: nf_tables: reject nat hook registration if prio is before conntrack")

As of commit 9971a514ed2697e ("netfilter: nf_nat: add nat type hooks to nat core")
NAT hooks are always called from a fixed chain priority. The priority is
only used to order a nat chain wrt. other nat base chains, not arbitrary
hook functions. Even INT_MIN will not call the nat hook before conntrack
anymore.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 net/netfilter/nf_tables_api.c | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index fd814e514f94..6e2a75223882 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1831,10 +1831,6 @@  static int nft_chain_parse_hook(struct net *net,
 	if (hook->num > NF_MAX_HOOKS || !(type->hook_mask & (1 << hook->num)))
 		return -EOPNOTSUPP;
 
-	if (type->type == NFT_CHAIN_T_NAT &&
-	    hook->priority <= NF_IP_PRI_CONNTRACK)
-		return -EOPNOTSUPP;
-
 	if (!try_module_get(type->owner))
 		return -ENOENT;

[nf] netfilter: nftables: permit any priority for nat hooks

Commit Message

Patch