android/android_kernel_samsung_sm8650
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

netfilter: nf_tables: restrict tunnel object to NFPROTO_NETDEV

Browse Source 
[ Upstream commit 776d451648443f9884be4a1b4e38e8faf1c621f9 ]

Bail out on using the tunnel dst template from other than netdev family.
Add the infrastructure to check for the family in objects.

Fixes: af308b94a2 ("netfilter: nf_tables: add tunnel support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
This commit is contained in:
Pablo Neira Ayuso 2024-01-23 23:45:32 +01:00 committed by Greg Kroah-Hartman
parent 8a51dbf7b7
commit 67f0ca0a4c
3 changed files with 12 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
include/net/netfilter/nf_tables.h
View File

@ -1286,6 +1286,7 @@ void nft_obj_notify(struct net *net, const struct nft_table *table,
* @type: stateful object numeric type * @type: stateful object numeric type
* @owner: module owner * @owner: module owner
* @maxattr: maximum netlink attribute * @maxattr: maximum netlink attribute
* @family: address family for AF-specific object types
* @policy: netlink attribute policy * @policy: netlink attribute policy
*/ */
struct nft_object_type { struct nft_object_type {
@ -1295,6 +1296,7 @@ struct nft_object_type {
struct list_head list; struct list_head list;
u32 type; u32 type;
unsigned int maxattr; unsigned int maxattr;
u8 family;
struct module *owner; struct module *owner;
const struct nla_policy *policy; const struct nla_policy *policy;
}; };

14
net/netfilter/nf_tables_api.c
View File

@ -7129,11 +7129,15 @@ static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
return -1; return -1;
} }
static const struct nft_object_type *__nft_obj_type_get(u32 objtype) static const struct nft_object_type *__nft_obj_type_get(u32 objtype, u8 family)
{ {
const struct nft_object_type *type; const struct nft_object_type *type;
list_for_each_entry(type, &nf_tables_objects, list) { list_for_each_entry(type, &nf_tables_objects, list) {
if (type->family != NFPROTO_UNSPEC &&
type->family != family)
continue;
if (objtype == type->type) if (objtype == type->type)
return type; return type;
} }
@ -7141,11 +7145,11 @@ static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
} }
static const struct nft_object_type * static const struct nft_object_type *
nft_obj_type_get(struct net *net, u32 objtype) nft_obj_type_get(struct net *net, u32 objtype, u8 family)
{ {
const struct nft_object_type *type; const struct nft_object_type *type;
type = __nft_obj_type_get(objtype); type = __nft_obj_type_get(objtype, family);
if (type != NULL && try_module_get(type->owner)) if (type != NULL && try_module_get(type->owner))
return type; return type;
@ -7238,7 +7242,7 @@ static int nf_tables_newobj(struct sk_buff *skb, const struct nfnl_info *info,
if (info->nlh->nlmsg_flags & NLM_F_REPLACE) if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
return -EOPNOTSUPP; return -EOPNOTSUPP;
type = __nft_obj_type_get(objtype); type = __nft_obj_type_get(objtype, family);
if (WARN_ON_ONCE(!type)) if (WARN_ON_ONCE(!type))
return -ENOENT; return -ENOENT;
@ -7252,7 +7256,7 @@ static int nf_tables_newobj(struct sk_buff *skb, const struct nfnl_info *info,
if (!nft_use_inc(&table->use)) if (!nft_use_inc(&table->use))
return -EMFILE; return -EMFILE;
type = nft_obj_type_get(net, objtype); type = nft_obj_type_get(net, objtype, family);
if (IS_ERR(type)) { if (IS_ERR(type)) {
err = PTR_ERR(type); err = PTR_ERR(type);
goto err_type; goto err_type;

1
net/netfilter/nft_tunnel.c
View File

@ -713,6 +713,7 @@ static const struct nft_object_ops nft_tunnel_obj_ops = {
static struct nft_object_type nft_tunnel_obj_type __read_mostly = { static struct nft_object_type nft_tunnel_obj_type __read_mostly = {
.type = NFT_OBJECT_TUNNEL, .type = NFT_OBJECT_TUNNEL,
.family = NFPROTO_NETDEV,
.ops = &nft_tunnel_obj_ops, .ops = &nft_tunnel_obj_ops,
.maxattr = NFTA_TUNNEL_KEY_MAX, .maxattr = NFTA_TUNNEL_KEY_MAX,
.policy = nft_tunnel_key_policy, .policy = nft_tunnel_key_policy,