@@ -786,6 +786,20 @@ static bool nft_match_reduce(struct nft_regs_track *track,
return strcmp(match->name, "comment") == 0;
}
+static bool is_valid_compat_family(u32 family)
+{
+ switch (family) {
+ case NFPROTO_IPV4:
+ case NFPROTO_ARP:
+ case NFPROTO_BRIDGE:
+ case NFPROTO_IPV6:
+ return true;
+ }
+
+ /* others are nftables only */
+ return false;
+}
+
static const struct nft_expr_ops *
nft_match_select_ops(const struct nft_ctx *ctx,
const struct nlattr * const tb[])
@@ -806,6 +820,9 @@ nft_match_select_ops(const struct nft_ctx *ctx,
rev = ntohl(nla_get_be32(tb[NFTA_MATCH_REV]));
family = ctx->family;
+ if (!is_valid_compat_family(family))
+ return ERR_PTR(-EAFNOSUPPORT);
+
match = xt_request_find_match(family, mt_name, rev);
if (IS_ERR(match))
return ERR_PTR(-ENOENT);
@@ -886,6 +903,9 @@ nft_target_select_ops(const struct nft_ctx *ctx,
rev = ntohl(nla_get_be32(tb[NFTA_TARGET_REV]));
family = ctx->family;
+ if (!is_valid_compat_family(family))
+ return ERR_PTR(-EAFNOSUPPORT);
+
if (strcmp(tg_name, XT_ERROR_TARGET) == 0 ||
strcmp(tg_name, XT_STANDARD_TARGET) == 0 ||
strcmp(tg_name, "standard") == 0)
nft_compat is used by xtables-over-nftables: - arptables-nft - ebtables-nft - iptables-nft - ip6tables-nft x_tables doesn't support NFPROTO_NETDEV and NFPROTO_INET. Reject unsupported families. As-is, this allows use of xtables NFPROTO_UNSPEC extensions that are crashing the kernel when used with e.g. NFPROTO_NETDEV. NFPROTO_INET *might* be safe (since its a superset of NFPROTO_IPV4/IPV6), but it is not used by the existing compat layer. Signed-off-by: Florian Westphal <fw@strlen.de> --- This is in addition to "netfilter: x_tables: reject unsupported families in xt_check_match/xt_check_target". net/netfilter/nft_compat.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+)