On Thu, Oct 03, 2024 at 08:30:46PM +0200, Florian Westphal wrote:
> Restrict this match to iptables/ip6tables.
> syzbot managed to call it via ebtables:
>
> WARNING: CPU: 0 PID: 11 at net/netfilter/xt_cluster.c:72 xt_cluster_mt+0x196/0x780
> [..]
> ebt_do_table+0x174b/0x2a40
>
> Module registers to NFPROTO_UNSPEC, but it assumes ipv4/ipv6 packet
> processing. As this is only useful to restrict locally terminating
> TCP/UDP traffic, reject non-ip families at rule load time.
Fine with me. I had a similar patch looking like this.
This was never intented to be used by ebtables.
> Reported-by: syzbot+256c348558aa5cf611a9@xxxxxxxxxxxxxxxxxxxxxxxxx
> Tested-by: syzbot+256c348558aa5cf611a9@xxxxxxxxxxxxxxxxxxxxxxxxx
> Fixes: 0269ea493734 ("netfilter: xtables: add cluster match")
> Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
> ---
> net/netfilter/xt_cluster.c | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff --git a/net/netfilter/xt_cluster.c b/net/netfilter/xt_cluster.c
> index a047a545371e..fa45af1c48a9 100644
> --- a/net/netfilter/xt_cluster.c
> +++ b/net/netfilter/xt_cluster.c
> @@ -124,6 +124,14 @@ static int xt_cluster_mt_checkentry(const struct xt_mtchk_param *par)
> struct xt_cluster_match_info *info = par->matchinfo;
> int ret;
>
> + switch (par->family) {
> + case NFPROTO_IPV4:
> + case NFPROTO_IPV6:
> + break;
> + default:
> + return -EAFNOSUPPORT;
> + }
> +
> if (info->total_nodes > XT_CLUSTER_NODES_MAX) {
> pr_info_ratelimited("you have exceeded the maximum number of cluster nodes (%u > %u)\n",
> info->total_nodes, XT_CLUSTER_NODES_MAX);
> --
> 2.45.2
>
>
