Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> Validate table family when looking up for it via NFTA_TABLE_HANDLE.
>
> Reported-by: Xingyuan Mo <hdthky0@xxxxxxxxx>
> Fixes: 3ecbfd65f50e ("netfilter: nf_tables: allocate handle and delete objects via handle")
> Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> ---
> net/netfilter/nf_tables_api.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
This changes behaviour, before this change you can do
nft delete table handle 42
and it will delete the table with handle 42.
After this change, the command will only work if this table happens
to be in 'ip' family.
> - table = nft_table_lookup_byhandle(net, attr, genmask,
> + table = nft_table_lookup_byhandle(net, attr, family, genmask,
> NETLINK_CB(skb).portid);
Perhaps leave as-is and:
if (!IS_ERR(table))
family = table->family?
(or ctx.family =, but then the strange ctx.family assignment at end
of function needs to go).
