diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-03-23 14:27:16 +0100 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2020-04-02 17:20:35 +0200 |
commit | 282fd1fb2ff8f2f1b722903d8af844ef346424c1 (patch) | |
tree | 38f229526e000432456b7904c6b931b43dd6fb66 | |
parent | 86e98ce7de083649e330d518e98a80b9e39b5d43 (diff) |
netfilter: nft_fwd_netdev: validate family and chain type
commit 76a109fac206e158eb3c967af98c178cff738e6a upstream.
Make sure the forward action is only used from ingress.
Fixes: 39e6dea28adc ("netfilter: nf_tables: add forward expression to the netdev family")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r-- | net/netfilter/nft_fwd_netdev.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/net/netfilter/nft_fwd_netdev.c b/net/netfilter/nft_fwd_netdev.c index 763ebc3e0b2b..f93047f974e1 100644 --- a/net/netfilter/nft_fwd_netdev.c +++ b/net/netfilter/nft_fwd_netdev.c @@ -62,6 +62,13 @@ nla_put_failure: return -1; } +static int nft_fwd_validate(const struct nft_ctx *ctx, + const struct nft_expr *expr, + const struct nft_data **data) +{ + return nft_chain_validate_hooks(ctx->chain, (1 << NF_NETDEV_INGRESS)); +} + static struct nft_expr_type nft_fwd_netdev_type; static const struct nft_expr_ops nft_fwd_netdev_ops = { .type = &nft_fwd_netdev_type, @@ -69,6 +76,7 @@ static const struct nft_expr_ops nft_fwd_netdev_ops = { .eval = nft_fwd_netdev_eval, .init = nft_fwd_netdev_init, .dump = nft_fwd_netdev_dump, + .validate = nft_fwd_validate, }; static struct nft_expr_type nft_fwd_netdev_type __read_mostly = { |