On Mon, Jun 11, 2018 at 09:04:39PM +0900, Taehee Yoo wrote:
[...]
> diff --git a/include/net/netfilter/nf_tables.h
> b/include/net/netfilter/nf_tables.h
> index 08c005c..a7d6476 100644
> --- a/include/net/netfilter/nf_tables.h
> +++ b/include/net/netfilter/nf_tables.h
> @@ -150,6 +150,7 @@ static inline void nft_data_debug(const struct nft_data
> *data)
> * @portid: netlink portID of the original message
> * @seq: netlink sequence number
> * @family: protocol family
> + * @level: depth of the chains
> * @report: notify via unicast netlink message
> */
> struct nft_ctx {
> @@ -160,6 +161,7 @@ struct nft_ctx {
> u32 portid;
> u32 seq;
> u8 family;
> + u8 level;
> bool report;
> };
I think the chunk I'm attaching is missing, right?
Other than that, rejecting this configuration from control plane - now
that we don't crash anymore due to hitting BUG_ON from packet path -
is indeed the way to go.
Thanks.
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 34393f6a0f42..d41fa2c82f14 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -75,6 +75,7 @@ static void nft_ctx_init(struct nft_ctx *ctx,
{
ctx->net = net;
ctx->family = family;
+ ctx->level = 0;
ctx->table = table;
ctx->chain = chain;
ctx->nla = nla;
