netfilter: nf_tables: restrict tunnel object to NFPROTO_NETDEV

Bail out on using the tunnel dst template from other than netdev family. Add the infrastructure to check for the family in objects. Fixes: af308b94a2a4 ("netfilter: nf_tables: add tunnel support") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2024-01-23 23:45:32 +0100
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2024-01-31 23:07:04 +0100
commit: 776d451648443f9884be4a1b4e38e8faf1c621f9 (patch)
tree: 89653106ce22d62733c460d45e19cd672c8a8510 /include
parent: netfilter: conntrack: correct window scaling with retransmitted SYN (diff)
download: linux-776d451648443f9884be4a1b4e38e8faf1c621f9.tar.xz
linux-776d451648443f9884be4a1b4e38e8faf1c621f9.zip
1 files changed, 2 insertions, 0 deletions
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 4e1ea18eb5f0..001226c34621 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -1351,6 +1351,7 @@ void nft_obj_notify(struct net *net, const struct nft_table *table,
  *	@type: stateful object numeric type
  *	@owner: module owner
  *	@maxattr: maximum netlink attribute
+ *	@family: address family for AF-specific object types
  *	@policy: netlink attribute policy
  */
 struct nft_object_type {
@@ -1360,6 +1361,7 @@ struct nft_object_type {
 	struct list_head		list;
 	u32				type;
 	unsigned int                    maxattr;
+	u8				family;
 	struct module			*owner;
 	const struct nla_policy		*policy;
 };
author	Pablo Neira Ayuso <pablo@netfilter.org>	2024-01-23 23:45:32 +0100
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2024-01-31 23:07:04 +0100
commit	776d451648443f9884be4a1b4e38e8faf1c621f9 (patch)
tree	89653106ce22d62733c460d45e19cd672c8a8510 /include
parent	netfilter: conntrack: correct window scaling with retransmitted SYN (diff)
download	linux-776d451648443f9884be4a1b4e38e8faf1c621f9.tar.xz linux-776d451648443f9884be4a1b4e38e8faf1c621f9.zip