summaryrefslogtreecommitdiff
path: root/net
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2022-08-21 16:25:07 +0200
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2022-08-31 17:15:18 +0200
commit9a67c2c89c32bca7da6082c6b174457f8521121a (patch)
tree3f42006273f3df0eefbd4781f06ad0e719a955ee /net
parentc907dfe4eaca9665694a0340de1458a093abe354 (diff)
downloadlinux-9a67c2c89c32bca7da6082c6b174457f8521121a.tar.gz
linux-9a67c2c89c32bca7da6082c6b174457f8521121a.tar.bz2
linux-9a67c2c89c32bca7da6082c6b174457f8521121a.zip
netfilter: nft_osf: restrict osf to ipv4, ipv6 and inet families
[ Upstream commit 5f3b7aae14a706d0d7da9f9e39def52ff5fc3d39 ] As it was originally intended, restrict extension to supported families. Fixes: b96af92d6eaf ("netfilter: nf_tables: implement Passive OS fingerprint module in nft_osf") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'net')
-rw-r--r--net/netfilter/nft_osf.c18
1 files changed, 15 insertions, 3 deletions
diff --git a/net/netfilter/nft_osf.c b/net/netfilter/nft_osf.c
index d82677e83400..720dc9fba6d4 100644
--- a/net/netfilter/nft_osf.c
+++ b/net/netfilter/nft_osf.c
@@ -115,9 +115,21 @@ static int nft_osf_validate(const struct nft_ctx *ctx,
const struct nft_expr *expr,
const struct nft_data **data)
{
- return nft_chain_validate_hooks(ctx->chain, (1 << NF_INET_LOCAL_IN) |
- (1 << NF_INET_PRE_ROUTING) |
- (1 << NF_INET_FORWARD));
+ unsigned int hooks;
+
+ switch (ctx->family) {
+ case NFPROTO_IPV4:
+ case NFPROTO_IPV6:
+ case NFPROTO_INET:
+ hooks = (1 << NF_INET_LOCAL_IN) |
+ (1 << NF_INET_PRE_ROUTING) |
+ (1 << NF_INET_FORWARD);
+ break;
+ default:
+ return -EOPNOTSUPP;
+ }
+
+ return nft_chain_validate_hooks(ctx->chain, hooks);
}
static struct nft_expr_type nft_osf_type;
generated by cgit v1.2.3 (git 2.25.1) at 2026-03-06 20:07:19 +0000