diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2015-05-14 14:57:23 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2015-05-15 20:14:07 +0200 |
commit | 55917a21d0cc012bb6073bb05bb768fd51d8e237 (patch) | |
tree | e484cdbbe6bac4e5b4921117635356a1dfc1bc6d /include/linux | |
parent | 12b7ed29bdea2d6dde58f304321d4e8ca453f13c (diff) | |
download | linux-55917a21d0cc012bb6073bb05bb768fd51d8e237.tar.gz linux-55917a21d0cc012bb6073bb05bb768fd51d8e237.tar.bz2 linux-55917a21d0cc012bb6073bb05bb768fd51d8e237.zip |
netfilter: x_tables: add context to know if extension runs from nft_compat
Currently, we have four xtables extensions that cannot be used from the
xt over nft compat layer. The problem is that they need real access to
the full blown xt_entry to validate that the rule comes with the right
dependencies. This check was introduced to overcome the lack of
sufficient userspace dependency validation in iptables.
To resolve this problem, this patch introduces a new field to the
xt_tgchk_param structure that tell us if the extension is run from
nft_compat context.
The three affected extensions are:
1) CLUSTERIP, this target has been superseded by xt_cluster. So just
bail out by returning -EINVAL.
2) TCPMSS. Relax the checking when used from nft_compat. If used with
the wrong configuration, it will corrupt !syn packets by adding TCP
MSS option.
3) ebt_stp. Relax the check to make sure it uses the reserved
destination MAC address for STP.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Tested-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Diffstat (limited to 'include/linux')
-rw-r--r-- | include/linux/netfilter/x_tables.h | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h index a3e215bb0241..09f38206c18f 100644 --- a/include/linux/netfilter/x_tables.h +++ b/include/linux/netfilter/x_tables.h @@ -62,6 +62,7 @@ struct xt_mtchk_param { void *matchinfo; unsigned int hook_mask; u_int8_t family; + bool nft_compat; }; /** @@ -92,6 +93,7 @@ struct xt_tgchk_param { void *targinfo; unsigned int hook_mask; u_int8_t family; + bool nft_compat; }; /* Target destructor parameters */ |