summaryrefslogtreecommitdiffstats
path: root/include/net
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2015-01-14 15:33:57 +0100
committerPablo Neira Ayuso <pablo@netfilter.org>2015-01-19 14:52:39 +0100
commit75e8d06d4308436055d1a78a2c02bf6328ba724d (patch)
tree64fcef16df64c35c2f3ceca20982d3723a2637c4 /include/net
parent2061dcd6bff8b774b4fac8b0739b6be3f87bc9f2 (diff)
downloadop-kernel-dev-75e8d06d4308436055d1a78a2c02bf6328ba724d.zip
op-kernel-dev-75e8d06d4308436055d1a78a2c02bf6328ba724d.tar.gz
netfilter: nf_tables: validate hooks in NAT expressions
The user can crash the kernel if it uses any of the existing NAT expressions from the wrong hook, so add some code to validate this when loading the rule. This patch introduces nft_chain_validate_hooks() which is based on an existing function in the bridge version of the reject expression. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include/net')
-rw-r--r--include/net/netfilter/nf_tables.h2
1 files changed, 2 insertions, 0 deletions
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 3ae969e..9eaaa78 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -530,6 +530,8 @@ enum nft_chain_type {
int nft_chain_validate_dependency(const struct nft_chain *chain,
enum nft_chain_type type);
+int nft_chain_validate_hooks(const struct nft_chain *chain,
+ unsigned int hook_flags);
struct nft_stats {
u64 bytes;
OpenPOWER on IntegriCloud