[PATCH] netfilter: Fix iptables userspace compatibility breakage

ip_tables failed to recognize IPT_RETURN because it was defined relative to NF_MAX_VERDICT (which changed) and returned it to nf_iterate(). The old value of IPT_RETURN matches NF_REPEAT, so the hook was called again and again. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Linus Torvalds <torvalds@osdl.org>

[PATCH] netfilter: Fix iptables userspace compatibility breakage
ip_tables failed to recognize IPT_RETURN because it was defined relative to NF_MAX_VERDICT (which changed) and returned it to nf_iterate(). The old value of IPT_RETURN matches NF_REPEAT, so the hook was called again and again. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
12dd2ea4 · Patrick McHardy · Linus Torvalds · ec43f55f · 12dd2ea4 · 12dd2ea4
Commit 12dd2ea4 authored Mar 11, 2005 by Patrick McHardy Committed by Linus Torvalds Mar 11, 2005
3 changed files
--- a/include/linux/netfilter_arp/arp_tables.h
+++ b/include/linux/netfilter_arp/arp_tables.h
@@ -154,7 +154,7 @@ struct arpt_entry
 #define ARPT_CONTINUE 0xFFFFFFFF

 /* For standard target */
-#define ARPT_RETURN (-NF_MAX_VERDICT - 1)
+#define ARPT_RETURN (-NF_REPEAT - 1)

 /* The argument to ARPT_SO_GET_INFO */
 struct arpt_getinfo

--- a/include/linux/netfilter_ipv4/ip_tables.h
+++ b/include/linux/netfilter_ipv4/ip_tables.h
@@ -166,7 +166,7 @@ struct ipt_entry
 #define IPT_CONTINUE 0xFFFFFFFF

 /* For standard target */
-#define IPT_RETURN (-NF_MAX_VERDICT - 1)
+#define IPT_RETURN (-NF_REPEAT - 1)

 /* TCP matching stuff */
 struct ipt_tcp

--- a/include/linux/netfilter_ipv6/ip6_tables.h
+++ b/include/linux/netfilter_ipv6/ip6_tables.h
@@ -166,7 +166,7 @@ struct ip6t_entry
 #define IP6T_CONTINUE 0xFFFFFFFF

 /* For standard target */
-#define IP6T_RETURN (-NF_MAX_VERDICT - 1)
+#define IP6T_RETURN (-NF_REPEAT - 1)

 /* TCP matching stuff */
 struct ip6t_tcp