netfilter: nf_tables: fix issue with verdict support

The test on verdict was simply done on the value of the verdict
which is not correct as far as queue is concern. In fact, the test
of verdict test must be done with respect to the verdict mask for
verdicts which are not internal to nftables.

Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c
index cb9e685caae19120545a7883b6883033406971ea..e8fcc343c2b9d3dba82ac16264ec53a18fb376b3 100644 (file)
--- a/net/netfilter/nf_tables_core.c
+++ b/net/netfilter/nf_tables_core.c
@@ -164,7 +164,7 @@ next_rule:
                break;
        }
 
-       switch (data[NFT_REG_VERDICT].verdict) {
+       switch (data[NFT_REG_VERDICT].verdict & NF_VERDICT_MASK) {
        case NF_ACCEPT:
        case NF_DROP:
        case NF_QUEUE:
@@ -172,6 +172,9 @@ next_rule:
                        nft_trace_packet(pkt, chain, rulenum, NFT_TRACE_RULE);
 
                return data[NFT_REG_VERDICT].verdict;
+       }
+
+       switch (data[NFT_REG_VERDICT].verdict) {
        case NFT_JUMP:
                if (unlikely(pkt->skb->nf_trace))
                        nft_trace_packet(pkt, chain, rulenum, NFT_TRACE_RULE);