Skip to content

Commit

Permalink
netfilter: nf_tables: validate NFPROTO_* family
Browse files Browse the repository at this point in the history
Several expressions explicitly refer to NF_INET_* hook definitions
from expr->ops->validate, however, family is not validated.

Bail out with EOPNOTSUPP in case they are used from unsupported
families.

Fixes: 0ca743a ("netfilter: nf_tables: add compatibility layer for x_tables")
Fixes: a3c90f7 ("netfilter: nf_tables: flow offload expression")
Fixes: 2fa8419 ("netfilter: nf_tables: introduce routing expression")
Fixes: 554ced0 ("netfilter: nf_tables: add support for native socket matching")
Fixes: ad49d86 ("netfilter: nf_tables: Add synproxy support")
Fixes: 4ed8eb6 ("netfilter: nf_tables: Add native tproxy support")
Fixes: 6c47260 ("netfilter: nf_tables: add xfrm expression")
Signed-off-by: Pablo Neira Ayuso <[email protected]>
  • Loading branch information
ummakynes committed Jan 24, 2024
1 parent f342de4 commit d0009ef
Show file tree
Hide file tree
Showing 8 changed files with 47 additions and 2 deletions.
12 changes: 12 additions & 0 deletions net/netfilter/nft_compat.c
Original file line number Diff line number Diff line change
Expand Up @@ -350,6 +350,12 @@ static int nft_target_validate(const struct nft_ctx *ctx,
unsigned int hook_mask = 0;
int ret;

if (ctx->family != NFPROTO_IPV4 &&
ctx->family != NFPROTO_IPV6 &&
ctx->family != NFPROTO_BRIDGE &&
ctx->family != NFPROTO_ARP)
return -EOPNOTSUPP;

if (nft_is_base_chain(ctx->chain)) {
const struct nft_base_chain *basechain =
nft_base_chain(ctx->chain);
Expand Down Expand Up @@ -595,6 +601,12 @@ static int nft_match_validate(const struct nft_ctx *ctx,
unsigned int hook_mask = 0;
int ret;

if (ctx->family != NFPROTO_IPV4 &&
ctx->family != NFPROTO_IPV6 &&
ctx->family != NFPROTO_BRIDGE &&
ctx->family != NFPROTO_ARP)
return -EOPNOTSUPP;

if (nft_is_base_chain(ctx->chain)) {
const struct nft_base_chain *basechain =
nft_base_chain(ctx->chain);
Expand Down
5 changes: 5 additions & 0 deletions net/netfilter/nft_flow_offload.c
Original file line number Diff line number Diff line change
Expand Up @@ -384,6 +384,11 @@ static int nft_flow_offload_validate(const struct nft_ctx *ctx,
{
unsigned int hook_mask = (1 << NF_INET_FORWARD);

if (ctx->family != NFPROTO_IPV4 &&
ctx->family != NFPROTO_IPV6 &&
ctx->family != NFPROTO_INET)
return -EOPNOTSUPP;

return nft_chain_validate_hooks(ctx->chain, hook_mask);
}

Expand Down
5 changes: 5 additions & 0 deletions net/netfilter/nft_nat.c
Original file line number Diff line number Diff line change
Expand Up @@ -143,6 +143,11 @@ static int nft_nat_validate(const struct nft_ctx *ctx,
struct nft_nat *priv = nft_expr_priv(expr);
int err;

if (ctx->family != NFPROTO_IPV4 &&
ctx->family != NFPROTO_IPV6 &&
ctx->family != NFPROTO_INET)
return -EOPNOTSUPP;

err = nft_chain_validate_dependency(ctx->chain, NFT_CHAIN_T_NAT);
if (err < 0)
return err;
Expand Down
5 changes: 5 additions & 0 deletions net/netfilter/nft_rt.c
Original file line number Diff line number Diff line change
Expand Up @@ -166,6 +166,11 @@ static int nft_rt_validate(const struct nft_ctx *ctx, const struct nft_expr *exp
const struct nft_rt *priv = nft_expr_priv(expr);
unsigned int hooks;

if (ctx->family != NFPROTO_IPV4 &&
ctx->family != NFPROTO_IPV6 &&
ctx->family != NFPROTO_INET)
return -EOPNOTSUPP;

switch (priv->key) {
case NFT_RT_NEXTHOP4:
case NFT_RT_NEXTHOP6:
Expand Down
5 changes: 5 additions & 0 deletions net/netfilter/nft_socket.c
Original file line number Diff line number Diff line change
Expand Up @@ -242,6 +242,11 @@ static int nft_socket_validate(const struct nft_ctx *ctx,
const struct nft_expr *expr,
const struct nft_data **data)
{
if (ctx->family != NFPROTO_IPV4 &&
ctx->family != NFPROTO_IPV6 &&
ctx->family != NFPROTO_INET)
return -EOPNOTSUPP;

return nft_chain_validate_hooks(ctx->chain,
(1 << NF_INET_PRE_ROUTING) |
(1 << NF_INET_LOCAL_IN) |
Expand Down
7 changes: 5 additions & 2 deletions net/netfilter/nft_synproxy.c
Original file line number Diff line number Diff line change
Expand Up @@ -186,7 +186,6 @@ static int nft_synproxy_do_init(const struct nft_ctx *ctx,
break;
#endif
case NFPROTO_INET:
case NFPROTO_BRIDGE:
err = nf_synproxy_ipv4_init(snet, ctx->net);
if (err)
goto nf_ct_failure;
Expand Down Expand Up @@ -219,7 +218,6 @@ static void nft_synproxy_do_destroy(const struct nft_ctx *ctx)
break;
#endif
case NFPROTO_INET:
case NFPROTO_BRIDGE:
nf_synproxy_ipv4_fini(snet, ctx->net);
nf_synproxy_ipv6_fini(snet, ctx->net);
break;
Expand Down Expand Up @@ -253,6 +251,11 @@ static int nft_synproxy_validate(const struct nft_ctx *ctx,
const struct nft_expr *expr,
const struct nft_data **data)
{
if (ctx->family != NFPROTO_IPV4 &&
ctx->family != NFPROTO_IPV6 &&
ctx->family != NFPROTO_INET)
return -EOPNOTSUPP;

return nft_chain_validate_hooks(ctx->chain, (1 << NF_INET_LOCAL_IN) |
(1 << NF_INET_FORWARD));
}
Expand Down
5 changes: 5 additions & 0 deletions net/netfilter/nft_tproxy.c
Original file line number Diff line number Diff line change
Expand Up @@ -316,6 +316,11 @@ static int nft_tproxy_validate(const struct nft_ctx *ctx,
const struct nft_expr *expr,
const struct nft_data **data)
{
if (ctx->family != NFPROTO_IPV4 &&
ctx->family != NFPROTO_IPV6 &&
ctx->family != NFPROTO_INET)
return -EOPNOTSUPP;

return nft_chain_validate_hooks(ctx->chain, 1 << NF_INET_PRE_ROUTING);
}

Expand Down
5 changes: 5 additions & 0 deletions net/netfilter/nft_xfrm.c
Original file line number Diff line number Diff line change
Expand Up @@ -235,6 +235,11 @@ static int nft_xfrm_validate(const struct nft_ctx *ctx, const struct nft_expr *e
const struct nft_xfrm *priv = nft_expr_priv(expr);
unsigned int hooks;

if (ctx->family != NFPROTO_IPV4 &&
ctx->family != NFPROTO_IPV6 &&
ctx->family != NFPROTO_INET)
return -EOPNOTSUPP;

switch (priv->dir) {
case XFRM_POLICY_IN:
hooks = (1 << NF_INET_FORWARD) |
Expand Down

0 comments on commit d0009ef

Please sign in to comment.