| 1 |
From 68d86ff6f56c33e6eb852f5b6a75af6dfc2e4470 Mon Sep 17 00:00:00 2001 |
| 2 |
From: Sasha Levin <sashal@kernel.org> |
| 3 |
Date: Sun, 21 Aug 2022 10:28:25 +0200 |
| 4 |
Subject: netfilter: nf_tables: disallow updates of implicit chain |
| 5 |
|
| 6 |
From: Pablo Neira Ayuso <pablo@netfilter.org> |
| 7 |
|
| 8 |
[ Upstream commit 5dc52d83baac30decf5f3b371d5eb41dfa1d1412 ] |
| 9 |
|
| 10 |
Updates on existing implicit chain make no sense, disallow this. |
| 11 |
|
| 12 |
Fixes: d0e2c7de92c7 ("netfilter: nf_tables: add NFT_CHAIN_BINDING") |
| 13 |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
| 14 |
Signed-off-by: Sasha Levin <sashal@kernel.org> |
| 15 |
--- |
| 16 |
net/netfilter/nf_tables_api.c | 3 +++ |
| 17 |
1 file changed, 3 insertions(+) |
| 18 |
|
| 19 |
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c |
| 20 |
index 4bd6e9427c918..8b6ee9df817fb 100644 |
| 21 |
--- a/net/netfilter/nf_tables_api.c |
| 22 |
+++ b/net/netfilter/nf_tables_api.c |
| 23 |
@@ -2574,6 +2574,9 @@ static int nf_tables_newchain(struct sk_buff *skb, const struct nfnl_info *info, |
| 24 |
nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla); |
| 25 |
|
| 26 |
if (chain != NULL) { |
| 27 |
+ if (chain->flags & NFT_CHAIN_BINDING) |
| 28 |
+ return -EINVAL; |
| 29 |
+ |
| 30 |
if (info->nlh->nlmsg_flags & NLM_F_EXCL) { |
| 31 |
NL_SET_BAD_ATTR(extack, attr); |
| 32 |
return -EEXIST; |
| 33 |
-- |
| 34 |
2.35.1 |
| 35 |
|
Parent Directory
| 
Revision Log