netfilter: nf_tables: restrict nat/masq expressions to nat chain type

This adds the missing validation code to avoid the use of nat/masq from non-nat chains. The validation assumes two possible configuration scenarios: 1) Use of nat from base chain that is not of nat type. Reject this configuration from the nft_*_init() path of the expression. 2) Use of nat from non-base chain. In this case, we have to wait until the non-base chain is referenced by at least one base chain via jump/goto. This is resolved from the nft_*_validate() path which is called from nf_tables_check_loops(). The user gets an -EOPNOTSUPP in both cases. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2014-10-13 13:50:22 -0400
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2014-10-13 14:42:00 -0400
commit: 7210e4e38f945dfa173c4a4e59ad827c9ecad541 (patch)
tree: f86826588257abd66235761163e113bfdd82594f /net
parent: ab2d7251d666995740da17b2a51ca545ac5dd037 (diff)
5 files changed, 40 insertions, 0 deletions
diff --git a/net/ipv4/netfilter/nft_masq_ipv4.c b/net/ipv4/netfilter/nft_masq_ipv4.c
index 1c636d6b5b50..c1023c445920 100644
--- a/net/ipv4/netfilter/nft_masq_ipv4.c
+++ b/net/ipv4/netfilter/nft_masq_ipv4.c
@@ -39,6 +39,7 @@ static const struct nft_expr_ops nft_masq_ipv4_ops = {
        .eval           = nft_masq_ipv4_eval,
        .init           = nft_masq_init,
        .dump           = nft_masq_dump,
+        .validate       = nft_masq_validate,
 };
 static struct nft_expr_type nft_masq_ipv4_type __read_mostly = {
diff --git a/net/ipv6/netfilter/nft_masq_ipv6.c b/net/ipv6/netfilter/nft_masq_ipv6.c
index 556262f40761..8a7ac685076d 100644
--- a/net/ipv6/netfilter/nft_masq_ipv6.c
+++ b/net/ipv6/netfilter/nft_masq_ipv6.c
@@ -39,6 +39,7 @@ static const struct nft_expr_ops nft_masq_ipv6_ops = {
        .eval           = nft_masq_ipv6_eval,
        .init           = nft_masq_init,
        .dump           = nft_masq_dump,
+        .validate       = nft_masq_validate,
 };
 static struct nft_expr_type nft_masq_ipv6_type __read_mostly = {
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 556a0dfa4abc..65eb2a1160d5 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -3744,6 +3744,20 @@ static const struct nfnetlink_subsystem nf_tables_subsys = {
        .abort          = nf_tables_abort,
 };
+int nft_chain_validate_dependency(const struct nft_chain *chain,
+                                  enum nft_chain_type type)
+{
+        const struct nft_base_chain *basechain;
+        if (chain->flags & NFT_BASE_CHAIN) {
+                basechain = nft_base_chain(chain);
+                if (basechain->type->type != type)
+                        return -EOPNOTSUPP;
+        }
+        return 0;
+}
+EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
 /*
 * Loop detection - walk through the ruleset beginning at the destination chain
 * of a new jump until either the source chain is reached (loop) or all
diff --git a/net/netfilter/nft_masq.c b/net/netfilter/nft_masq.c
index 6637bab00567..d1ffd5eb3a9b 100644
--- a/net/netfilter/nft_masq.c
+++ b/net/netfilter/nft_masq.c
@@ -26,6 +26,11 @@ int nft_masq_init(const struct nft_ctx *ctx,
                  const struct nlattr * const tb[])
 {
        struct nft_masq *priv = nft_expr_priv(expr);
+        int err;
+        err = nft_chain_validate_dependency(ctx->chain, NFT_CHAIN_T_NAT);
+        if (err < 0)
+                return err;
        if (tb[NFTA_MASQ_FLAGS] == NULL)
                return 0;
@@ -55,5 +60,12 @@ nla_put_failure:
 }
 EXPORT_SYMBOL_GPL(nft_masq_dump);
+int nft_masq_validate(const struct nft_ctx *ctx, const struct nft_expr *expr,
+                      const struct nft_data **data)
+{
+        return nft_chain_validate_dependency(ctx->chain, NFT_CHAIN_T_NAT);
+}
+EXPORT_SYMBOL_GPL(nft_masq_validate);
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>");
diff --git a/net/netfilter/nft_nat.c b/net/netfilter/nft_nat.c
index 799550b476fb..0f0af6e86fb8 100644
--- a/net/netfilter/nft_nat.c
+++ b/net/netfilter/nft_nat.c
@@ -95,6 +95,10 @@ static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
        u32 family;
        int err;
+        err = nft_chain_validate_dependency(ctx->chain, NFT_CHAIN_T_NAT);
+        if (err < 0)
+                return err;
        if (tb[NFTA_NAT_TYPE] == NULL)
                return -EINVAL;
@@ -205,6 +209,13 @@ nla_put_failure:
        return -1;
 }
+static int nft_nat_validate(const struct nft_ctx *ctx,
+                            const struct nft_expr *expr,
+                            const struct nft_data **data)
+{
+        return nft_chain_validate_dependency(ctx->chain, NFT_CHAIN_T_NAT);
+}
 static struct nft_expr_type nft_nat_type;
 static const struct nft_expr_ops nft_nat_ops = {
        .type           = &nft_nat_type,
@@ -212,6 +223,7 @@ static const struct nft_expr_ops nft_nat_ops = {
        .eval           = nft_nat_eval,
        .init           = nft_nat_init,
        .dump           = nft_nat_dump,
+        .validate       = nft_nat_validate,
 };
 static struct nft_expr_type nft_nat_type __read_mostly = {
author	Pablo Neira Ayuso <pablo@netfilter.org>	2014-10-13 13:50:22 -0400
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2014-10-13 14:42:00 -0400
commit	7210e4e38f945dfa173c4a4e59ad827c9ecad541 (patch)
tree	f86826588257abd66235761163e113bfdd82594f /net
parent	ab2d7251d666995740da17b2a51ca545ac5dd037 (diff)