Commit 776d4516 authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso
Browse files

netfilter: nf_tables: restrict tunnel object to NFPROTO_NETDEV 



Bail out on using the tunnel dst template from other than netdev family.
Add the infrastructure to check for the family in objects.

Fixes: af308b94 ("netfilter: nf_tables: add tunnel support")
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent fb366fc7

include/net/netfilter/nf_tables.h

+2 −0
Original line number Diff line number Diff line
@@ -1351,6 +1351,7 @@ void nft_obj_notify(struct net *net, const struct nft_table *table, 
 *	@type: stateful object numeric type

 *	@owner: module owner

 *	@maxattr: maximum netlink attribute

 *	@family: address family for AF-specific object types

 *	@policy: netlink attribute policy

 */

struct nft_object_type {
@@ -1360,6 +1361,7 @@ struct nft_object_type { 
	struct list_head		list;

	u32				type;

	unsigned int                    maxattr;

	u8				family;

	struct module			*owner;

	const struct nla_policy		*policy;

};

net/netfilter/nf_tables_api.c

+9 −5
Original line number Diff line number Diff line
@@ -7551,11 +7551,15 @@ static int nft_object_dump(struct sk_buff *skb, unsigned int attr, 
	return -1;

}



static const struct nft_object_type *__nft_obj_type_get(u32 objtype)

static const struct nft_object_type *__nft_obj_type_get(u32 objtype, u8 family)

{

	const struct nft_object_type *type;



	list_for_each_entry(type, &nf_tables_objects, list) {

		if (type->family != NFPROTO_UNSPEC &&

		    type->family != family)

			continue;



		if (objtype == type->type)

			return type;

	}
@@ -7563,11 +7567,11 @@ static const struct nft_object_type *__nft_obj_type_get(u32 objtype) 
}



static const struct nft_object_type *

nft_obj_type_get(struct net *net, u32 objtype)

nft_obj_type_get(struct net *net, u32 objtype, u8 family)

{

	const struct nft_object_type *type;



	type = __nft_obj_type_get(objtype);

	type = __nft_obj_type_get(objtype, family);

	if (type != NULL && try_module_get(type->owner))

		return type;
@@ -7660,7 +7664,7 @@ static int nf_tables_newobj(struct sk_buff *skb, const struct nfnl_info *info, 
		if (info->nlh->nlmsg_flags & NLM_F_REPLACE)

			return -EOPNOTSUPP;



		type = __nft_obj_type_get(objtype);

		type = __nft_obj_type_get(objtype, family);

		if (WARN_ON_ONCE(!type))

			return -ENOENT;
@@ -7674,7 +7678,7 @@ static int nf_tables_newobj(struct sk_buff *skb, const struct nfnl_info *info, 
	if (!nft_use_inc(&table->use))

		return -EMFILE;



	type = nft_obj_type_get(net, objtype);

	type = nft_obj_type_get(net, objtype, family);

	if (IS_ERR(type)) {

		err = PTR_ERR(type);

		goto err_type;

net/netfilter/nft_tunnel.c

+1 −0
Original line number Diff line number Diff line
@@ -713,6 +713,7 @@ static const struct nft_object_ops nft_tunnel_obj_ops = { 


static struct nft_object_type nft_tunnel_obj_type __read_mostly = {

	.type		= NFT_OBJECT_TUNNEL,

	.family		= NFPROTO_NETDEV,

	.ops		= &nft_tunnel_obj_ops,

	.maxattr	= NFTA_TUNNEL_KEY_MAX,

	.policy		= nft_tunnel_key_policy,