tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

netfilter: nf_tables: restrict tunnel object to NFPROTO_NETDEV

Bail out on using the tunnel dst template from other than netdev family.
Add the infrastructure to check for the family in objects.

Fixes: af308b94a2a4 ("netfilter: nf_tables: add tunnel support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Pablo Neira Ayuso 776d4516 fb366fc7

+12 -5
+2
include/net/netfilter/nf_tables.h
··· 1351 1351 * @type: stateful object numeric type 1352 1352 * @owner: module owner 1353 1353 * @maxattr: maximum netlink attribute 1354 + * @family: address family for AF-specific object types 1354 1355 * @policy: netlink attribute policy 1355 1356 */ 1356 1357 struct nft_object_type { ··· 1361 1360 struct list_head list; 1362 1361 u32 type; 1363 1362 unsigned int maxattr; 1363 + u8 family; 1364 1364 struct module *owner; 1365 1365 const struct nla_policy *policy; 1366 1366 };
+9 -5
net/netfilter/nf_tables_api.c
··· 7551 7551 return -1; 7552 7552 } 7553 7553 7554 - static const struct nft_object_type *__nft_obj_type_get(u32 objtype) 7554 + static const struct nft_object_type *__nft_obj_type_get(u32 objtype, u8 family) 7555 7555 { 7556 7556 const struct nft_object_type *type; 7557 7557 7558 7558 list_for_each_entry(type, &nf_tables_objects, list) { 7559 + if (type->family != NFPROTO_UNSPEC && 7560 + type->family != family) 7561 + continue; 7562 + 7559 7563 if (objtype == type->type) 7560 7564 return type; 7561 7565 } ··· 7567 7563 } 7568 7564 7569 7565 static const struct nft_object_type * 7570 - nft_obj_type_get(struct net *net, u32 objtype) 7566 + nft_obj_type_get(struct net *net, u32 objtype, u8 family) 7571 7567 { 7572 7568 const struct nft_object_type *type; 7573 7569 7574 - type = __nft_obj_type_get(objtype); 7570 + type = __nft_obj_type_get(objtype, family); 7575 7571 if (type != NULL && try_module_get(type->owner)) 7576 7572 return type; 7577 7573 ··· 7664 7660 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) 7665 7661 return -EOPNOTSUPP; 7666 7662 7667 - type = __nft_obj_type_get(objtype); 7663 + type = __nft_obj_type_get(objtype, family); 7668 7664 if (WARN_ON_ONCE(!type)) 7669 7665 return -ENOENT; 7670 7666 ··· 7678 7674 if (!nft_use_inc(&table->use)) 7679 7675 return -EMFILE; 7680 7676 7681 - type = nft_obj_type_get(net, objtype); 7677 + type = nft_obj_type_get(net, objtype, family); 7682 7678 if (IS_ERR(type)) { 7683 7679 err = PTR_ERR(type); 7684 7680 goto err_type;
+1
net/netfilter/nft_tunnel.c
··· 713 713 714 714 static struct nft_object_type nft_tunnel_obj_type __read_mostly = { 715 715 .type = NFT_OBJECT_TUNNEL, 716 + .family = NFPROTO_NETDEV, 716 717 .ops = &nft_tunnel_obj_ops, 717 718 .maxattr = NFTA_TUNNEL_KEY_MAX, 718 719 .policy = nft_tunnel_key_policy,