tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
netfilter: nft_fwd_netdev: validate family and chain type
Make sure the forward action is only used from ingress.
Fixes: 39e6dea28adc ("netfilter: nf_tables: add forward expression to the netdev family")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+9
+9
net/netfilter/nft_fwd_netdev.c
+9
net/netfilter/nft_fwd_netdev.c
···
190
190
return -1;
191
191
}
192
192
193
+
static int nft_fwd_validate(const struct nft_ctx *ctx,
194
+
const struct nft_expr *expr,
195
+
const struct nft_data **data)
196
+
{
197
+
return nft_chain_validate_hooks(ctx->chain, (1 << NF_NETDEV_INGRESS));
198
+
}
199
+
193
200
static struct nft_expr_type nft_fwd_netdev_type;
194
201
static const struct nft_expr_ops nft_fwd_neigh_netdev_ops = {
195
202
.type = &nft_fwd_netdev_type,
···
204
197
.eval = nft_fwd_neigh_eval,
205
198
.init = nft_fwd_neigh_init,
206
199
.dump = nft_fwd_neigh_dump,
200
+
.validate = nft_fwd_validate,
207
201
};
208
202
209
203
static const struct nft_expr_ops nft_fwd_netdev_ops = {
···
213
205
.eval = nft_fwd_netdev_eval,
214
206
.init = nft_fwd_netdev_init,
215
207
.dump = nft_fwd_netdev_dump,
208
+
.validate = nft_fwd_validate,
216
209
.offload = nft_fwd_netdev_offload,
217
210
};
218
211