netfilter: nf_tables: reject unsupported chain flags

author Pablo Neira Ayuso <pablo@netfilter.org>

Sat, 4 Jul 2020 00:51:28 +0000 (02:51 +0200)

committer Pablo Neira Ayuso <pablo@netfilter.org>

Sat, 4 Jul 2020 00:51:28 +0000 (02:51 +0200)
author Pablo Neira Ayuso <pablo@netfilter.org>
Sat, 4 Jul 2020 00:51:28 +0000 (02:51 +0200)
committer Pablo Neira Ayuso <pablo@netfilter.org>
Sat, 4 Jul 2020 00:51:28 +0000 (02:51 +0200)
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h

index e00b4ae..42f351c 100644 (file)
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -189,6 +189,9 @@ enum nft_chain_flags {
         NFT_CHAIN_HW_OFFLOAD    = (1 << 1),
         NFT_CHAIN_BINDING       = (1 << 2),
  };
+#define NFT_CHAIN_FLAGS                (NFT_CHAIN_BASE         | \
+                                NFT_CHAIN_HW_OFFLOAD   | \
+                                NFT_CHAIN_BINDING)
  
  /**
   * enum nft_chain_attributes - nf_tables chain netlink attributes
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c

index b8a970d..f967855 100644 (file)
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -2285,6 +2285,9 @@ static int nf_tables_newchain(struct net *net, struct sock *nlsk,
         else if (chain)
                 flags = chain->flags;
  
+       if (flags & ~NFT_CHAIN_FLAGS)
+               return -EOPNOTSUPP;
+
         nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
  
         if (chain != NULL) {
author	Pablo Neira Ayuso <pablo@netfilter.org>
	Sat, 4 Jul 2020 00:51:28 +0000 (02:51 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Sat, 4 Jul 2020 00:51:28 +0000 (02:51 +0200)
include/uapi/linux/netfilter/nf_tables.h		patch \| blob \| history
net/netfilter/nf_tables_api.c		patch \| blob \| history