netfilter: nft_fwd_netdev: validate family and chain type

commit 76a109fac206e158eb3c967af98c178cff738e6a upstream. Make sure the forward action is only used from ingress. Fixes: 39e6dea28adc ("netfilter: nf_tables: add forward expression to the netdev family") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2020-03-23 14:27:16 +0100
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-04-02 17:20:35 +0200
commit: 282fd1fb2ff8f2f1b722903d8af844ef346424c1 (patch)
tree: 38f229526e000432456b7904c6b931b43dd6fb66 /net
parent: 86e98ce7de083649e330d518e98a80b9e39b5d43 (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/net/netfilter/nft_fwd_netdev.c b/net/netfilter/nft_fwd_netdev.c
index 763ebc3e0b2b..f93047f974e1 100644
--- a/net/netfilter/nft_fwd_netdev.c
+++ b/net/netfilter/nft_fwd_netdev.c
@@ -62,6 +62,13 @@ nla_put_failure:
 	return -1;
 }
 
+static int nft_fwd_validate(const struct nft_ctx *ctx,
+			    const struct nft_expr *expr,
+			    const struct nft_data **data)
+{
+	return nft_chain_validate_hooks(ctx->chain, (1 << NF_NETDEV_INGRESS));
+}
+
 static struct nft_expr_type nft_fwd_netdev_type;
 static const struct nft_expr_ops nft_fwd_netdev_ops = {
 	.type		= &nft_fwd_netdev_type,
@@ -69,6 +76,7 @@ static const struct nft_expr_ops nft_fwd_netdev_ops = {
 	.eval		= nft_fwd_netdev_eval,
 	.init		= nft_fwd_netdev_init,
 	.dump		= nft_fwd_netdev_dump,
+	.validate	= nft_fwd_validate,
 };
 
 static struct nft_expr_type nft_fwd_netdev_type __read_mostly = {
author	Pablo Neira Ayuso <pablo@netfilter.org>	2020-03-23 14:27:16 +0100
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2020-04-02 17:20:35 +0200
commit	282fd1fb2ff8f2f1b722903d8af844ef346424c1 (patch)
tree	38f229526e000432456b7904c6b931b43dd6fb66 /net
parent	86e98ce7de083649e330d518e98a80b9e39b5d43 (diff)