89e1f6d2b9
After I add the nft rule "nft add rule filter prerouting reject with tcp reset", kernel panic happened on my system: NULL pointer dereference at ... IP: [<ffffffff81b9db2f>] nf_send_reset+0xaf/0x400 Call Trace: [<ffffffff81b9da80>] ? nf_reject_ip_tcphdr_get+0x160/0x160 [<ffffffffa0928061>] nft_reject_ipv4_eval+0x61/0xb0 [nft_reject_ipv4] [<ffffffffa08e836a>] nft_do_chain+0x1fa/0x890 [nf_tables] [<ffffffffa08e8170>] ? __nft_trace_packet+0x170/0x170 [nf_tables] [<ffffffffa06e0900>] ? nf_ct_invert_tuple+0xb0/0xc0 [nf_conntrack] [<ffffffffa07224d4>] ? nf_nat_setup_info+0x5d4/0x650 [nf_nat] [...] Because in the PREROUTING chain, routing information is not exist, then we will dereference the NULL pointer and oops happen. So we restrict reject expression to INPUT, FORWARD and OUTPUT chain. This is consistent with iptables REJECT target. Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
25 lines
566 B
C
25 lines
566 B
C
#ifndef _NFT_REJECT_H_
|
|
#define _NFT_REJECT_H_
|
|
|
|
struct nft_reject {
|
|
enum nft_reject_types type:8;
|
|
u8 icmp_code;
|
|
};
|
|
|
|
extern const struct nla_policy nft_reject_policy[];
|
|
|
|
int nft_reject_validate(const struct nft_ctx *ctx,
|
|
const struct nft_expr *expr,
|
|
const struct nft_data **data);
|
|
|
|
int nft_reject_init(const struct nft_ctx *ctx,
|
|
const struct nft_expr *expr,
|
|
const struct nlattr * const tb[]);
|
|
|
|
int nft_reject_dump(struct sk_buff *skb, const struct nft_expr *expr);
|
|
|
|
int nft_reject_icmp_code(u8 code);
|
|
int nft_reject_icmpv6_code(u8 code);
|
|
|
|
#endif
|