TWxSoftware/twx-linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

netfilter: nft_tproxy: restrict to prerouting hook

Browse Source 
commit 18bbc32133 upstream.

TPROXY is only allowed from prerouting, but nft_tproxy doesn't check this.
This fixes a crash (null dereference) when using tproxy from e.g. output.

Fixes: 4ed8eb6570 ("netfilter: nf_tables: Add native tproxy support")
Reported-by: Shell Chen <xierch@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Qingfang DENG <dqfext@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Florian Westphal
2022-08-20 17:54:06 +02:00
committed by Greg Kroah-Hartman
parent 6618b0dcf2
commit eaba3f9b67
1 changed files with 8 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
net/netfilter/nft_tproxy.c
+8
View File
@@ -289,6 +289,13 @@ static int nft_tproxy_dump(struct sk_buff *skb,
return 0; return 0;
} }
static int nft_tproxy_validate(const struct nft_ctx *ctx,
const struct nft_expr *expr,
const struct nft_data **data)
{
return nft_chain_validate_hooks(ctx->chain, 1 << NF_INET_PRE_ROUTING);
}
static struct nft_expr_type nft_tproxy_type; static struct nft_expr_type nft_tproxy_type;
static const struct nft_expr_ops nft_tproxy_ops = { static const struct nft_expr_ops nft_tproxy_ops = {
.type = &nft_tproxy_type, .type = &nft_tproxy_type,
@@ -296,6 +303,7 @@ static const struct nft_expr_ops nft_tproxy_ops = {
.eval = nft_tproxy_eval, .eval = nft_tproxy_eval,
.init = nft_tproxy_init, .init = nft_tproxy_init,
.dump = nft_tproxy_dump, .dump = nft_tproxy_dump,
.validate = nft_tproxy_validate,
}; };
static struct nft_expr_type nft_tproxy_type __read_mostly = { static struct nft_expr_type nft_tproxy_type __read_mostly = {