[PATCH nf-next 2/7] netfilter: nft_objref: validate map object type

[Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>]

Allow to specify the NFTA_OBJREF_TYPE netlink attribute to validate the
object type in this reference.

Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
 net/netfilter/nft_objref.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/net/netfilter/nft_objref.c b/net/netfilter/nft_objref.c
index 984f5b1810be..006c2ebd898a 100644
--- a/net/netfilter/nft_objref.c
+++ b/net/netfilter/nft_objref.c
@@ -125,6 +125,7 @@ static int nft_objref_map_init(const struct nft_ctx *ctx,
 {
 	struct nft_objref_map *priv = nft_expr_priv(expr);
 	u8 genmask = nft_genmask_next(ctx->net);
+	u32 objtype = NFT_OBJECT_UNSPEC;
 	struct nft_set *set;
 	int err;
 
@@ -148,6 +149,13 @@ static int nft_objref_map_init(const struct nft_ctx *ctx,
 	if (err < 0)
 		return err;
 
+	if (tb[NFTA_OBJREF_TYPE])
+		objtype = ntohl(nla_get_be32(tb[NFTA_OBJREF_TYPE]));
+
+	if (objtype != NFT_OBJECT_UNSPEC &&
+	    set->objtype != objtype)
+		return -EOPNOTSUPP;
+
 	priv->set = set;
 	return 0;
 }
-- 
2.11.0