summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFlorian Westphal <fw@strlen.de>2017-12-08 17:01:55 +0100
committerPablo Neira Ayuso <pablo@netfilter.org>2018-01-08 18:01:14 +0100
commit84ba7dd71add05b52e55c60b4a3af9bb6194c73d (patch)
tree2ce13364a97e60958169bc966862215912317f07
parentf92b40a8b2645af38bd6814651c59c1e690db53d (diff)
downloadlinux-84ba7dd71add05b52e55c60b4a3af9bb6194c73d.tar.bz2
netfilter: nf_tables: reject nat hook registration if prio is before conntrack
No problem for iptables as priorities are fixed values defined in the nat modules, but in nftables the priority its coming from userspace. Reject in case we see that such a hook would not work. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r--net/netfilter/nf_tables_api.c7
1 files changed, 6 insertions, 1 deletions
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 838eb581b5ab..36d38f8b0284 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1264,7 +1264,7 @@ static void nf_tables_chain_destroy(struct nft_chain *chain)
struct nft_chain_hook {
u32 num;
- u32 priority;
+ s32 priority;
const struct nf_chain_type *type;
struct net_device *dev;
};
@@ -1303,6 +1303,11 @@ static int nft_chain_parse_hook(struct net *net,
}
if (!(type->hook_mask & (1 << hook->num)))
return -EOPNOTSUPP;
+
+ if (type->type == NFT_CHAIN_T_NAT &&
+ hook->priority <= NF_IP_PRI_CONNTRACK)
+ return -EOPNOTSUPP;
+
if (!try_module_get(type->owner))
return -ENOENT;