Patch "netfilter: nft_ct: fix l3num expectations with inet pseudo family" has been added to the 5.10-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Fri, 8 Mar 2024 12:08:34 -0500

This is a note to let you know that I've just added the patch titled

    netfilter: nft_ct: fix l3num expectations with inet pseudo family

to the 5.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     netfilter-nft_ct-fix-l3num-expectations-with-inet-ps.patch
and it can be found in the queue-5.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 931d1d5c022b5c2ad225abc7764c230b06ee7f1c
Author: Florian Westphal <fw@xxxxxxxxx>
Date:   Fri Mar 1 13:38:15 2024 +0100

    netfilter: nft_ct: fix l3num expectations with inet pseudo family
    
    [ Upstream commit 99993789966a6eb4f1295193dc543686899892d3 ]
    
    Following is rejected but should be allowed:
    
    table inet t {
            ct expectation exp1 {
                    [..]
                    l3proto ip
    
    Valid combos are:
    table ip t, l3proto ip
    table ip6 t, l3proto ip6
    table inet t, l3proto ip OR l3proto ip6
    
    Disallow inet pseudeo family, the l3num must be a on-wire protocol known
    to conntrack.
    
    Retain NFPROTO_INET case to make it clear its rejected
    intentionally rather as oversight.
    
    Fixes: 8059918a1377 ("netfilter: nft_ct: sanitize layer 3 and 4 protocol number in custom expectations")
    Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
    Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
index 2b15dbbca98b3..2a8dfa68f6e20 100644
--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter/nft_ct.c
@@ -1188,14 +1188,13 @@ static int nft_ct_expect_obj_init(const struct nft_ctx *ctx,
 	switch (priv->l3num) {
 	case NFPROTO_IPV4:
 	case NFPROTO_IPV6:
-		if (priv->l3num != ctx->family)
-			return -EINVAL;
+		if (priv->l3num == ctx->family || ctx->family == NFPROTO_INET)
+			break;
 
-		fallthrough;
-	case NFPROTO_INET:
-		break;
+		return -EINVAL;
+	case NFPROTO_INET: /* tuple.src.l3num supports NFPROTO_IPV4/6 only */
 	default:
-		return -EOPNOTSUPP;
+		return -EAFNOSUPPORT;
 	}
 
 	priv->l4proto = nla_get_u8(tb[NFTA_CT_EXPECT_L4PROTO]);







