Commit 8c46207
netfilter: nf_tables: Reject tables of unsupported family
jira VULN-7622
cve CVE-2023-6040
commit-author Phil Sutter <[email protected]>
commit f1082dd
upstream-diff |
1. The `CONFIG_NF_TABLES_NETDEV' case removed because that option is
not even available in the `ciqcbr7_9' yet.
2. All table type CONFIGs wrapped in `IS_ENABLED(...)' macro instead
of just `CONFIG_NF_TABLES_BRIDGE' because all of them are of type
"tristate" in `ciqcbr7_9', unlike in the newer kernels where they
are "bool" and a simple #ifdef is sufficient.
An nftables family is merely a hollow container, its family just a
number and such not reliant on compile-time options other than nftables
support itself. Add an artificial check so attempts at using a family
the kernel can't support fail as early as possible. This helps user
space detect kernels which lack e.g. NFPROTO_INET.
Signed-off-by: Phil Sutter <[email protected]>
Signed-off-by: Pablo Neira Ayuso <[email protected]>
(cherry picked from commit f1082dd)
Signed-off-by: Marcin Wcisło <[email protected]>1 parent f946730 commit 8c46207
1 file changed
+24
-0
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
702 | 702 | | |
703 | 703 | | |
704 | 704 | | |
| 705 | + | |
| 706 | + | |
| 707 | + | |
| 708 | + | |
| 709 | + | |
| 710 | + | |
| 711 | + | |
| 712 | + | |
| 713 | + | |
| 714 | + | |
| 715 | + | |
| 716 | + | |
| 717 | + | |
| 718 | + | |
| 719 | + | |
| 720 | + | |
| 721 | + | |
| 722 | + | |
| 723 | + | |
| 724 | + | |
| 725 | + | |
705 | 726 | | |
706 | 727 | | |
707 | 728 | | |
| |||
715 | 736 | | |
716 | 737 | | |
717 | 738 | | |
| 739 | + | |
| 740 | + | |
| 741 | + | |
718 | 742 | | |
719 | 743 | | |
720 | 744 | | |
| |||
0 commit comments