[PATCH nf 3/3] netfilter: nf_tables: disallow unbound chain from commit step

Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> · Fri, 9 Jun 2023 14:01:37 +0200

Bail out if userspace creates a chain binding which remains unbound
after this transaction.

Use list of pending objects, which is already used by pending
anonymous set which are not yet bound to rule.

Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
 include/net/netfilter/nf_tables.h | 1 +
 net/netfilter/nf_tables_api.c     | 8 ++++++++
 net/netfilter/nft_immediate.c     | 1 +
 3 files changed, 10 insertions(+)

diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index d24146b526a1..161913fc098b 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -1085,6 +1085,7 @@ struct nft_chain {
 	struct nft_rule_blob		__rcu *blob_gen_0;
 	struct nft_rule_blob		__rcu *blob_gen_1;
 	struct list_head		rules;
+	struct list_head		pending_list;
 	struct list_head		list;
 	struct rhlist_head		rhlhead;
 	struct nft_table		*table;
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 11beb6750531..f7917f678719 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -2370,6 +2370,12 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
 		goto err_unregister_hook;
 	}
 
+	if (nft_chain_binding(chain)) {
+		struct nftables_pernet *nft_net = nft_pernet(ctx->net);
+
+		list_add_tail(&chain->pending_list, &nft_net->pending_list);
+	}
+
 	table->use++;
 
 	return 0;
@@ -9694,6 +9700,8 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
 				if (nft_chain_is_bound(trans->ctx.chain)) {
 					nft_trans_destroy(trans);
 					break;
+				} else if (nft_chain_binding(trans->ctx.chain)) {
+					list_del(&trans->ctx.chain->pending_list);
 				}
 				trans->ctx.table->use--;
 				nft_chain_del(trans->ctx.chain);
diff --git a/net/netfilter/nft_immediate.c b/net/netfilter/nft_immediate.c
index 054243b9b89e..929879d1c048 100644
--- a/net/netfilter/nft_immediate.c
+++ b/net/netfilter/nft_immediate.c
@@ -82,6 +82,7 @@ static int nft_immediate_init(const struct nft_ctx *ctx,
 					goto err1;
 				}
 				chain->bound = true;
+				list_del(&chain->pending_list);
 			}
 			break;
 		default:
-- 
2.30.2







