Commit 4b2b4d7d authored Apr 17, 2026 by Jiexun Wang Committed by Pablo Neira Ayuso Apr 24, 2026

netfilter: xt_policy: fix strict mode inbound policy matching



match_policy_in() walks sec_path entries from the last transform to the
first one, but strict policy matching needs to consume info->pol[] in
the same forward order as the rule layout.

Derive the strict-match policy position from the number of transforms
already consumed so that multi-element inbound rules are matched
consistently.

Fixes: c4b88513 ("[NETFILTER]: x_tables: replace IPv4/IPv6 policy match by address family independant version")
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Jiexun Wang <wangjiexun2025@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

parent 10f79dbd

net/netfilter/xt_policy.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -63,7 +63,7 @@ match_policy_in(const struct sk_buff skb, const struct xt_policy_info info,
		return 0;

		for (i = sp->len - 1; i >= 0; i--) {
		pos = strict ? i - sp->len + 1 : 0;
		pos = strict ? sp->len - i - 1 : 0;
		if (pos >= info->len)
		return 0;
		e = &info->pol[pos];