netfilter: nft_ct: fix unconditional dump of 'dir' attr

We want to make sure that the information that we get from the kernel can be reinjected without troubles. The kernel shouldn't return an attribute that is not required, or even prohibited. Dumping unconditionally NFTA_CT_DIRECTION could lead an application in userspace to interpret that the attribute was originally set, while it was not. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Arturo Borrero <arturo.borrero.glez@gmail.com> 2014-01-16 20:28:45 -0500
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2014-02-05 07:16:17 -0500
commit: 2a53bfb3e0fb6aa6b1ac93e5979a040a4b57ea8b (patch)
tree: 5099bc9bb244f5d157bd4d10397f31a4588a7210 /net
parent: 2a971354e74f3837d14b9c8d7f7983b0c9c330e4 (diff)
1 files changed, 13 insertions, 2 deletions
diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
index 917052e20602..feaf0f354a93 100644
--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter/nft_ct.c
@@ -311,8 +311,19 @@ static int nft_ct_get_dump(struct sk_buff *skb, const struct nft_expr *expr)
                goto nla_put_failure;
        if (nla_put_be32(skb, NFTA_CT_KEY, htonl(priv->key)))
                goto nla_put_failure;
-        if (nla_put_u8(skb, NFTA_CT_DIRECTION, priv->dir))
-                goto nla_put_failure;
+        switch (priv->key) {
+        case NFT_CT_PROTOCOL:
+        case NFT_CT_SRC:
+        case NFT_CT_DST:
+        case NFT_CT_PROTO_SRC:
+        case NFT_CT_PROTO_DST:
+                if (nla_put_u8(skb, NFTA_CT_DIRECTION, priv->dir))
+                        goto nla_put_failure;
+        default:
+                break;
+        }
        return 0;
 nla_put_failure:
author	Arturo Borrero <arturo.borrero.glez@gmail.com>	2014-01-16 20:28:45 -0500
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2014-02-05 07:16:17 -0500
commit	2a53bfb3e0fb6aa6b1ac93e5979a040a4b57ea8b (patch)
tree	5099bc9bb244f5d157bd4d10397f31a4588a7210 /net
parent	2a971354e74f3837d14b9c8d7f7983b0c9c330e4 (diff)

diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c index 917052e20602..feaf0f354a93 100644 --- a/net/netfilter/nft_ct.c +++ b/net/netfilter/nft_ct.c
@@ -311,8 +311,19 @@ static int nft_ct_get_dump(struct sk_buff skb, const struct nft_expr expr)
311	goto nla_put_failure;	311	goto nla_put_failure;
312	if (nla_put_be32(skb, NFTA_CT_KEY, htonl(priv->key)))	312	if (nla_put_be32(skb, NFTA_CT_KEY, htonl(priv->key)))
313	goto nla_put_failure;	313	goto nla_put_failure;
314	if (nla_put_u8(skb, NFTA_CT_DIRECTION, priv->dir))	314
315	goto nla_put_failure;	315	switch (priv->key) {
		316	case NFT_CT_PROTOCOL:
		317	case NFT_CT_SRC:
		318	case NFT_CT_DST:
		319	case NFT_CT_PROTO_SRC:
		320	case NFT_CT_PROTO_DST:
		321	if (nla_put_u8(skb, NFTA_CT_DIRECTION, priv->dir))
		322	goto nla_put_failure;
		323	default:
		324	break;
		325	}
		326
316	return 0;	327	return 0;
317		328
318	nla_put_failure:	329	nla_put_failure: