On Mon, Dec 04, 2023 at 03:03:41PM +0100, Florian Westphal wrote:
> Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> > Validate table family when looking up for it via NFTA_TABLE_HANDLE.
> >
> > Reported-by: Xingyuan Mo <hdthky0@xxxxxxxxx>
> > Fixes: 3ecbfd65f50e ("netfilter: nf_tables: allocate handle and delete objects via handle")
> > Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> > ---
> > net/netfilter/nf_tables_api.c | 5 +++--
> > 1 file changed, 3 insertions(+), 2 deletions(-)
>
> This changes behaviour, before this change you can do
>
> nft delete table handle 42
>
> and it will delete the table with handle 42.
Default family is 'ip' if not specified, that is inconsistent with
other objects?
> After this change, the command will only work if this table happens
> to be in 'ip' family.
>
> > - table = nft_table_lookup_byhandle(net, attr, genmask,
> > + table = nft_table_lookup_byhandle(net, attr, family, genmask,
> > NETLINK_CB(skb).portid);
>
> Perhaps leave as-is and:
> if (!IS_ERR(table))
> family = table->family?
>
> (or ctx.family =, but then the strange ctx.family assignment at end
> of function needs to go).
