diff options
author | Florian Westphal <fw@strlen.de> | 2022-08-20 17:54:06 +0200 |
---|---|---|
committer | Florian Westphal <fw@strlen.de> | 2022-08-23 21:24:34 +0200 |
commit | 18bbc3213383a82b05383827f4b1b882e3f0a5a5 (patch) | |
tree | 26006a63f818301339915afbd8bfe501c8602a81 /net | |
parent | netfilter: conntrack: work around exceeded receive window (diff) | |
download | linux-18bbc3213383a82b05383827f4b1b882e3f0a5a5.tar.xz linux-18bbc3213383a82b05383827f4b1b882e3f0a5a5.zip |
netfilter: nft_tproxy: restrict to prerouting hook
TPROXY is only allowed from prerouting, but nft_tproxy doesn't check this.
This fixes a crash (null dereference) when using tproxy from e.g. output.
Fixes: 4ed8eb6570a4 ("netfilter: nf_tables: Add native tproxy support")
Reported-by: Shell Chen <xierch@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'net')
-rw-r--r-- | net/netfilter/nft_tproxy.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/net/netfilter/nft_tproxy.c b/net/netfilter/nft_tproxy.c index 68b2eed742df..62da25ad264b 100644 --- a/net/netfilter/nft_tproxy.c +++ b/net/netfilter/nft_tproxy.c @@ -312,6 +312,13 @@ static int nft_tproxy_dump(struct sk_buff *skb, return 0; } +static int nft_tproxy_validate(const struct nft_ctx *ctx, + const struct nft_expr *expr, + const struct nft_data **data) +{ + return nft_chain_validate_hooks(ctx->chain, 1 << NF_INET_PRE_ROUTING); +} + static struct nft_expr_type nft_tproxy_type; static const struct nft_expr_ops nft_tproxy_ops = { .type = &nft_tproxy_type, @@ -321,6 +328,7 @@ static const struct nft_expr_ops nft_tproxy_ops = { .destroy = nft_tproxy_destroy, .dump = nft_tproxy_dump, .reduce = NFT_REDUCE_READONLY, + .validate = nft_tproxy_validate, }; static struct nft_expr_type nft_tproxy_type __read_mostly = { |