diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2022-08-21 10:28:25 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2022-08-24 07:43:20 +0200 |
commit | 5dc52d83baac30decf5f3b371d5eb41dfa1d1412 (patch) | |
tree | 0e226ba90374d9daa0ed10e0ffcf1329ca7c44d2 /net | |
parent | 18bbc3213383a82b05383827f4b1b882e3f0a5a5 (diff) | |
download | lwn-5dc52d83baac30decf5f3b371d5eb41dfa1d1412.tar.gz lwn-5dc52d83baac30decf5f3b371d5eb41dfa1d1412.zip |
netfilter: nf_tables: disallow updates of implicit chain
Updates on existing implicit chain make no sense, disallow this.
Fixes: d0e2c7de92c7 ("netfilter: nf_tables: add NFT_CHAIN_BINDING")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net')
-rw-r--r-- | net/netfilter/nf_tables_api.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 62cfb0e31c40..dff2b5851bbb 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -2574,6 +2574,9 @@ static int nf_tables_newchain(struct sk_buff *skb, const struct nfnl_info *info, nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla); if (chain != NULL) { + if (chain->flags & NFT_CHAIN_BINDING) + return -EINVAL; + if (info->nlh->nlmsg_flags & NLM_F_EXCL) { NL_SET_BAD_ATTR(extack, attr); return -EEXIST; |