@@ -125,6 +125,7 @@ static int nft_objref_map_init(const struct nft_ctx *ctx,
{
struct nft_objref_map *priv = nft_expr_priv(expr);
u8 genmask = nft_genmask_next(ctx->net);
+ u32 objtype = NFT_OBJECT_UNSPEC;
struct nft_set *set;
int err;
@@ -148,6 +149,13 @@ static int nft_objref_map_init(const struct nft_ctx *ctx,
if (err < 0)
return err;
+ if (tb[NFTA_OBJREF_TYPE])
+ objtype = ntohl(nla_get_be32(tb[NFTA_OBJREF_TYPE]));
+
+ if (objtype != NFT_OBJECT_UNSPEC &&
+ set->objtype != objtype)
+ return -EOPNOTSUPP;
+
priv->set = set;
return 0;
}
Allow to specify the NFTA_OBJREF_TYPE netlink attribute to validate the object type in this reference. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- net/netfilter/nft_objref.c | 8 ++++++++ 1 file changed, 8 insertions(+)