tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
netfilter: nft_osf: restrict osf to ipv4, ipv6 and inet families
As it was originally intended, restrict extension to supported families.
Fixes: b96af92d6eaf ("netfilter: nf_tables: implement Passive OS fingerprint module in nft_osf")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+15
-3
+15
-3
net/netfilter/nft_osf.c
+15
-3
net/netfilter/nft_osf.c
···
115
115
const struct nft_expr *expr,
116
116
const struct nft_data **data)
117
117
{
118
-
return nft_chain_validate_hooks(ctx->chain, (1 << NF_INET_LOCAL_IN) |
119
-
(1 << NF_INET_PRE_ROUTING) |
120
-
(1 << NF_INET_FORWARD));
118
+
unsigned int hooks;
119
+
120
+
switch (ctx->family) {
121
+
case NFPROTO_IPV4:
122
+
case NFPROTO_IPV6:
123
+
case NFPROTO_INET:
124
+
hooks = (1 << NF_INET_LOCAL_IN) |
125
+
(1 << NF_INET_PRE_ROUTING) |
126
+
(1 << NF_INET_FORWARD);
127
+
break;
128
+
default:
129
+
return -EOPNOTSUPP;
130
+
}
131
+
132
+
return nft_chain_validate_hooks(ctx->chain, hooks);
121
133
}
122
134
123
135
static bool nft_osf_reduce(struct nft_regs_track *track,