tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

netfilter: xtables: restrict several matches to inet family

This is a partial revert of:

commit ab4f21e6fb1c ("netfilter: xtables: use NFPROTO_UNSPEC in more extensions")

to allow ipv4 and ipv6 only.

- xt_mac
- xt_owner
- xt_physdev

These extensions are not used by ebtables in userspace.

Moreover, xt_realm is only for ipv4, since dst->tclassid is ipv4
specific.

Fixes: ab4f21e6fb1c ("netfilter: xtables: use NFPROTO_UNSPEC in more extensions")
Reported-by: "Kito Xu (veritas501)" <hxzene@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Pablo Neira Ayuso b6fe26f8 6e7066bd

+68 -34
+23 -11
net/netfilter/xt_mac.c
··· 36 36 return ret; 37 37 } 38 38 39 - static struct xt_match mac_mt_reg __read_mostly = { 40 - .name = "mac", 41 - .revision = 0, 42 - .family = NFPROTO_UNSPEC, 43 - .match = mac_mt, 44 - .matchsize = sizeof(struct xt_mac_info), 45 - .hooks = (1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_IN) | 46 - (1 << NF_INET_FORWARD), 47 - .me = THIS_MODULE, 39 + static struct xt_match mac_mt_reg[] __read_mostly = { 40 + { 41 + .name = "mac", 42 + .family = NFPROTO_IPV4, 43 + .match = mac_mt, 44 + .matchsize = sizeof(struct xt_mac_info), 45 + .hooks = (1 << NF_INET_PRE_ROUTING) | 46 + (1 << NF_INET_LOCAL_IN) | 47 + (1 << NF_INET_FORWARD), 48 + .me = THIS_MODULE, 49 + }, 50 + { 51 + .name = "mac", 52 + .family = NFPROTO_IPV6, 53 + .match = mac_mt, 54 + .matchsize = sizeof(struct xt_mac_info), 55 + .hooks = (1 << NF_INET_PRE_ROUTING) | 56 + (1 << NF_INET_LOCAL_IN) | 57 + (1 << NF_INET_FORWARD), 58 + .me = THIS_MODULE, 59 + }, 48 60 }; 49 61 50 62 static int __init mac_mt_init(void) 51 63 { 52 - return xt_register_match(&mac_mt_reg); 64 + return xt_register_matches(mac_mt_reg, ARRAY_SIZE(mac_mt_reg)); 53 65 } 54 66 55 67 static void __exit mac_mt_exit(void) 56 68 { 57 - xt_unregister_match(&mac_mt_reg); 69 + xt_unregister_matches(mac_mt_reg, ARRAY_SIZE(mac_mt_reg)); 58 70 } 59 71 60 72 module_init(mac_mt_init);
+25 -12
net/netfilter/xt_owner.c
··· 127 127 return true; 128 128 } 129 129 130 - static struct xt_match owner_mt_reg __read_mostly = { 131 - .name = "owner", 132 - .revision = 1, 133 - .family = NFPROTO_UNSPEC, 134 - .checkentry = owner_check, 135 - .match = owner_mt, 136 - .matchsize = sizeof(struct xt_owner_match_info), 137 - .hooks = (1 << NF_INET_LOCAL_OUT) | 138 - (1 << NF_INET_POST_ROUTING), 139 - .me = THIS_MODULE, 130 + static struct xt_match owner_mt_reg[] __read_mostly = { 131 + { 132 + .name = "owner", 133 + .revision = 1, 134 + .family = NFPROTO_IPV4, 135 + .checkentry = owner_check, 136 + .match = owner_mt, 137 + .matchsize = sizeof(struct xt_owner_match_info), 138 + .hooks = (1 << NF_INET_LOCAL_OUT) | 139 + (1 << NF_INET_POST_ROUTING), 140 + .me = THIS_MODULE, 141 + }, 142 + { 143 + .name = "owner", 144 + .revision = 1, 145 + .family = NFPROTO_IPV6, 146 + .checkentry = owner_check, 147 + .match = owner_mt, 148 + .matchsize = sizeof(struct xt_owner_match_info), 149 + .hooks = (1 << NF_INET_LOCAL_OUT) | 150 + (1 << NF_INET_POST_ROUTING), 151 + .me = THIS_MODULE, 152 + } 140 153 }; 141 154 142 155 static int __init owner_mt_init(void) 143 156 { 144 - return xt_register_match(&owner_mt_reg); 157 + return xt_register_matches(owner_mt_reg, ARRAY_SIZE(owner_mt_reg)); 145 158 } 146 159 147 160 static void __exit owner_mt_exit(void) 148 161 { 149 - xt_unregister_match(&owner_mt_reg); 162 + xt_unregister_matches(owner_mt_reg, ARRAY_SIZE(owner_mt_reg)); 150 163 } 151 164 152 165 module_init(owner_mt_init);
+19 -10
net/netfilter/xt_physdev.c
··· 137 137 return 0; 138 138 } 139 139 140 - static struct xt_match physdev_mt_reg __read_mostly = { 141 - .name = "physdev", 142 - .revision = 0, 143 - .family = NFPROTO_UNSPEC, 144 - .checkentry = physdev_mt_check, 145 - .match = physdev_mt, 146 - .matchsize = sizeof(struct xt_physdev_info), 147 - .me = THIS_MODULE, 140 + static struct xt_match physdev_mt_reg[] __read_mostly = { 141 + { 142 + .name = "physdev", 143 + .family = NFPROTO_IPV4, 144 + .checkentry = physdev_mt_check, 145 + .match = physdev_mt, 146 + .matchsize = sizeof(struct xt_physdev_info), 147 + .me = THIS_MODULE, 148 + }, 149 + { 150 + .name = "physdev", 151 + .family = NFPROTO_IPV6, 152 + .checkentry = physdev_mt_check, 153 + .match = physdev_mt, 154 + .matchsize = sizeof(struct xt_physdev_info), 155 + .me = THIS_MODULE, 156 + }, 148 157 }; 149 158 150 159 static int __init physdev_mt_init(void) 151 160 { 152 - return xt_register_match(&physdev_mt_reg); 161 + return xt_register_matches(physdev_mt_reg, ARRAY_SIZE(physdev_mt_reg)); 153 162 } 154 163 155 164 static void __exit physdev_mt_exit(void) 156 165 { 157 - xt_unregister_match(&physdev_mt_reg); 166 + xt_unregister_matches(physdev_mt_reg, ARRAY_SIZE(physdev_mt_reg)); 158 167 } 159 168 160 169 module_init(physdev_mt_init);
+1 -1
net/netfilter/xt_realm.c
··· 33 33 .matchsize = sizeof(struct xt_realm_info), 34 34 .hooks = (1 << NF_INET_POST_ROUTING) | (1 << NF_INET_FORWARD) | 35 35 (1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_LOCAL_IN), 36 - .family = NFPROTO_UNSPEC, 36 + .family = NFPROTO_IPV4, 37 37 .me = THIS_MODULE 38 38 }; 39 39