All of lore.kernel.org
 help / color / mirror / Atom feed
* [nf-next PATCH v2] netfilter: nf_tables: Reject tables of unsupported family
@ 2022-02-16 12:14 Phil Sutter
  0 siblings, 0 replies; only message in thread
From: Phil Sutter @ 2022-02-16 12:14 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter-devel, Florian Westphal

An nftables family is merely a hollow container, its family just a
number and such not reliant on compile-time options other than nftables
support itself. Add an artificial check so attempts at using a family
the kernel can't support fail as early as possible. This helps user
space detect kernels which lack e.g. NFPROTO_INET.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
Changes since v1:
- Avoid a compiler warning if none of the tested symbols are enabled.
---
 net/netfilter/nf_tables_api.c | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 5fa16990da951..85e74e165fc14 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1072,6 +1072,33 @@ static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg,
 	return strcmp(obj->key.name, k->name);
 }
 
+static bool nft_supported_family(int family)
+{
+	if (0
+#ifdef CONFIG_NF_TABLES_INET
+	    || family == NFPROTO_INET
+#endif
+#ifdef CONFIG_NF_TABLES_IPV4
+	    || family == NFPROTO_IPV4
+#endif
+#ifdef CONFIG_NF_TABLES_ARP
+	    || family == NFPROTO_ARP
+#endif
+#ifdef CONFIG_NF_TABLES_NETDEV
+	    || family == NFPROTO_NETDEV
+#endif
+#if IS_ENABLED(CONIFG_NF_TABLES_BRIDGE)
+	    || family == NFPROTO_BRIDGE
+#endif
+#ifdef CONFIG_NF_TABLES_IPV6
+	    || family == NFPROTO_IPV6
+#endif
+	   )
+		return true;
+
+	return false;
+}
+
 static int nf_tables_newtable(struct sk_buff *skb, const struct nfnl_info *info,
 			      const struct nlattr * const nla[])
 {
@@ -1086,6 +1113,9 @@ static int nf_tables_newtable(struct sk_buff *skb, const struct nfnl_info *info,
 	u32 flags = 0;
 	int err;
 
+	if (!nft_supported_family(family))
+		return -EOPNOTSUPP;
+
 	lockdep_assert_held(&nft_net->commit_mutex);
 	attr = nla[NFTA_TABLE_NAME];
 	table = nft_table_lookup(net, attr, family, genmask,
-- 
2.34.1


^ permalink raw reply related	[flat|nested] only message in thread
only message in thread, other threads:[~2022-02-16 12:14 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-02-16 12:14 [nf-next PATCH v2] netfilter: nf_tables: Reject tables of unsupported family Phil Sutter

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.