Message ID | 20231214214322.137555-1-pablo@netfilter.org |
---|---|
State | Accepted |
Headers | show |
Series | [nf-next] netfilter: nf_tables: validate chain type update if available | expand |
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index c5c17c6e80ed..ec092f2f0b64 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -2261,7 +2261,16 @@ static int nft_chain_parse_hook(struct net *net, return -EOPNOTSUPP; } - type = basechain->type; + if (nla[NFTA_CHAIN_TYPE]) { + type = __nf_tables_chain_type_lookup(nla[NFTA_CHAIN_TYPE], + family); + if (!type) { + NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]); + return -ENOENT; + } + } else { + type = basechain->type; + } } if (!try_module_get(type->owner)) {
Parse netlink attribute containing the chain type in this update, to bail out if this is different from the existing type. Otherwise, it is possible to define a chain with the same name, hook and priority but different type, which is silently ignored. Fixes: 96518518cc41 ("netfilter: add nftables") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- This is catch this sequence: table ip x { chain y { type filter hook output priority 0; } } then: table ip x { chain y { type route hook output priority 0; } } this is currently ignored, bail out instead if user tries to redefine an existing chain with different type. net/netfilter/nf_tables_api.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-)