diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2022-08-21 16:25:07 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2022-08-24 07:43:21 +0200 |
commit | 5f3b7aae14a706d0d7da9f9e39def52ff5fc3d39 (patch) | |
tree | 870bd5c034f9f4b3fd03005107ddddc1c1767a20 /net | |
parent | 43eb8949cfdffa764b92bc6c54b87cbe5b0003fe (diff) | |
download | linux-5f3b7aae14a706d0d7da9f9e39def52ff5fc3d39.tar.gz linux-5f3b7aae14a706d0d7da9f9e39def52ff5fc3d39.tar.bz2 linux-5f3b7aae14a706d0d7da9f9e39def52ff5fc3d39.zip |
netfilter: nft_osf: restrict osf to ipv4, ipv6 and inet families
As it was originally intended, restrict extension to supported families.
Fixes: b96af92d6eaf ("netfilter: nf_tables: implement Passive OS fingerprint module in nft_osf")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net')
-rw-r--r-- | net/netfilter/nft_osf.c | 18 |
1 files changed, 15 insertions, 3 deletions
diff --git a/net/netfilter/nft_osf.c b/net/netfilter/nft_osf.c index 0053a697c931..89342ccccdcc 100644 --- a/net/netfilter/nft_osf.c +++ b/net/netfilter/nft_osf.c @@ -115,9 +115,21 @@ static int nft_osf_validate(const struct nft_ctx *ctx, const struct nft_expr *expr, const struct nft_data **data) { - return nft_chain_validate_hooks(ctx->chain, (1 << NF_INET_LOCAL_IN) | - (1 << NF_INET_PRE_ROUTING) | - (1 << NF_INET_FORWARD)); + unsigned int hooks; + + switch (ctx->family) { + case NFPROTO_IPV4: + case NFPROTO_IPV6: + case NFPROTO_INET: + hooks = (1 << NF_INET_LOCAL_IN) | + (1 << NF_INET_PRE_ROUTING) | + (1 << NF_INET_FORWARD); + break; + default: + return -EOPNOTSUPP; + } + + return nft_chain_validate_hooks(ctx->chain, hooks); } static bool nft_osf_reduce(struct nft_regs_track *track, |