Commit a4c2e8be authored by Patrick McHardy's avatar Patrick McHardy Committed by Pablo Neira Ayuso

netfilter: nft_nat: fix family validation

The family in the NAT expression is basically completely useless since
we have it available during runtime anyway. Nevertheless it is used to
decide the NAT family, so at least validate it properly. As we don't
support cross-family NAT, it needs to match the family of the table the
expression exists in.

Unfortunately we can't remove it completely since we need to dump it for
userspace (*sigh*), so at least reduce the memory waste.

Additionally clean up the module init function by removing useless
temporary variables.
Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent d46f2cd2
...@@ -31,8 +31,8 @@ struct nft_nat { ...@@ -31,8 +31,8 @@ struct nft_nat {
enum nft_registers sreg_addr_max:8; enum nft_registers sreg_addr_max:8;
enum nft_registers sreg_proto_min:8; enum nft_registers sreg_proto_min:8;
enum nft_registers sreg_proto_max:8; enum nft_registers sreg_proto_max:8;
int family; enum nf_nat_manip_type type:8;
enum nf_nat_manip_type type; u8 family;
}; };
static void nft_nat_eval(const struct nft_expr *expr, static void nft_nat_eval(const struct nft_expr *expr,
...@@ -88,6 +88,7 @@ static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr, ...@@ -88,6 +88,7 @@ static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
const struct nlattr * const tb[]) const struct nlattr * const tb[])
{ {
struct nft_nat *priv = nft_expr_priv(expr); struct nft_nat *priv = nft_expr_priv(expr);
u32 family;
int err; int err;
if (tb[NFTA_NAT_TYPE] == NULL) if (tb[NFTA_NAT_TYPE] == NULL)
...@@ -107,9 +108,12 @@ static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr, ...@@ -107,9 +108,12 @@ static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
if (tb[NFTA_NAT_FAMILY] == NULL) if (tb[NFTA_NAT_FAMILY] == NULL)
return -EINVAL; return -EINVAL;
priv->family = ntohl(nla_get_be32(tb[NFTA_NAT_FAMILY])); family = ntohl(nla_get_be32(tb[NFTA_NAT_FAMILY]));
if (priv->family != AF_INET && priv->family != AF_INET6) if (family != AF_INET && family != AF_INET6)
return -EINVAL; return -EAFNOSUPPORT;
if (family != ctx->afi->family)
return -EOPNOTSUPP;
priv->family = family;
if (tb[NFTA_NAT_REG_ADDR_MIN]) { if (tb[NFTA_NAT_REG_ADDR_MIN]) {
priv->sreg_addr_min = ntohl(nla_get_be32( priv->sreg_addr_min = ntohl(nla_get_be32(
...@@ -202,13 +206,7 @@ static struct nft_expr_type nft_nat_type __read_mostly = { ...@@ -202,13 +206,7 @@ static struct nft_expr_type nft_nat_type __read_mostly = {
static int __init nft_nat_module_init(void) static int __init nft_nat_module_init(void)
{ {
int err; return nft_register_expr(&nft_nat_type);
err = nft_register_expr(&nft_nat_type);
if (err < 0)
return err;
return 0;
} }
static void __exit nft_nat_module_exit(void) static void __exit nft_nat_module_exit(void)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment