Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> Several expressions explicitly refer to NF_INET_* hook definitions
> from expr->ops->validate, however, family is not validated.
>
> Bail out with EOPNOTSUPP in case they are used from unsupported
> families.
>
> Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> ---
> This is v1:
>
> NF_INET_* and NF_NETDEV_* hook definitions overlap, and .validate refers to
> hooks only in several expressions, not families.
>
> - synproxy refers to NFPROTO_BRIDGE from eval path, however, .validate does
> not refer to bridge hooks.
Probably those NFPROTO_BRIDGE should be removed then.
> diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
> index 5284cd2ad532..61f5498b73ef 100644
> --- a/net/netfilter/nft_compat.c
> +++ b/net/netfilter/nft_compat.c
> @@ -350,6 +350,11 @@ static int nft_target_validate(const struct nft_ctx *ctx,
> unsigned int hook_mask = 0;
> int ret;
>
> + if (ctx->family != NFPROTO_IPV4 &&
> + ctx->family != NFPROTO_IPV6 &&
> + ctx->family != NFPROTO_BRIDGE)
> + return -EOPNOTSUPP;
> +
> if (nft_is_base_chain(ctx->chain)) {
> const struct nft_base_chain *basechain =
> nft_base_chain(ctx->chain);
> @@ -595,6 +600,11 @@ static int nft_match_validate(const struct nft_ctx *ctx,
> unsigned int hook_mask = 0;
> int ret;
>
> + if (ctx->family != NFPROTO_IPV4 &&
> + ctx->family != NFPROTO_IPV6 &&
> + ctx->family != NFPROTO_BRIDGE)
> + return -EOPNOTSUPP;
> +
Both need to permit NFPROTO_ARP too.
LGTM otherwise.
