diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2022-08-08 19:30:07 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2022-08-09 20:13:29 +0200 |
commit | f323ef3a0d49e147365284bc1f02212e617b7f09 (patch) | |
tree | e4e3c8b186ad39a11535e21ec4c374906fa03ef4 /include/net | |
parent | 341b6941608762d8235f3fd1e45e4d7114ed8c2c (diff) | |
download | lwn-f323ef3a0d49e147365284bc1f02212e617b7f09.tar.gz lwn-f323ef3a0d49e147365284bc1f02212e617b7f09.zip |
netfilter: nf_tables: disallow jump to implicit chain from set element
Extend struct nft_data_desc to add a flag field that specifies
nft_data_init() is being called for set element data.
Use it to disallow jump to implicit chain from set element, only jump
to chain via immediate expression is allowed.
Fixes: d0e2c7de92c7 ("netfilter: nf_tables: add NFT_CHAIN_BINDING")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include/net')
-rw-r--r-- | include/net/netfilter/nf_tables.h | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h index 1554f1e7215b..99aae36c04b9 100644 --- a/include/net/netfilter/nf_tables.h +++ b/include/net/netfilter/nf_tables.h @@ -221,10 +221,15 @@ struct nft_ctx { bool report; }; +enum nft_data_desc_flags { + NFT_DATA_DESC_SETELEM = (1 << 0), +}; + struct nft_data_desc { enum nft_data_types type; unsigned int size; unsigned int len; + unsigned int flags; }; int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data, |