[thirdparty/kernel/stable-queue.git] / releases / 6.6.26 / netfilter-nf_tables-reject-destroy-command-to-remove.patch

From 5afd33a659a279c05b97c099a191773736212832 Mon Sep 17 00:00:00 2001
From: Sasha Levin <sashal@kernel.org>
Date: Thu, 21 Mar 2024 01:27:50 +0100
Subject: netfilter: nf_tables: reject destroy command to remove basechain
 hooks

From: Pablo Neira Ayuso <pablo@netfilter.org>

[ Upstream commit b32ca27fa238ff83427d23bef2a5b741e2a88a1e ]

Report EOPNOTSUPP if NFT_MSG_DESTROYCHAIN is used to delete hooks in an
existing netdev basechain, thus, only NFT_MSG_DELCHAIN is allowed.

Fixes: 7d937b107108f ("netfilter: nf_tables: support for deleting devices in an existing netdev chain")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/netfilter/nf_tables_api.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index f10419ba6e0bd..0653f1e5e8929 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -2934,7 +2934,8 @@ static int nf_tables_delchain(struct sk_buff *skb, const struct nfnl_info *info,
 	nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
 
 	if (nla[NFTA_CHAIN_HOOK]) {
-		if (chain->flags & NFT_CHAIN_HW_OFFLOAD)
+		if (NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYCHAIN ||
+		    chain->flags & NFT_CHAIN_HW_OFFLOAD)
 			return -EOPNOTSUPP;
 
 		if (nft_is_base_chain(chain)) {
-- 
2.43.0
Commit	Line	Data
ffc1c2fe SL	1	From 5afd33a659a279c05b97c099a191773736212832 Mon Sep 17 00:00:00 2001
	2	From: Sasha Levin <sashal@kernel.org>
	3	Date: Thu, 21 Mar 2024 01:27:50 +0100
	4	Subject: netfilter: nf_tables: reject destroy command to remove basechain
	5	hooks
	6
	7	From: Pablo Neira Ayuso <pablo@netfilter.org>
	8
	9	[ Upstream commit b32ca27fa238ff83427d23bef2a5b741e2a88a1e ]
	10
	11	Report EOPNOTSUPP if NFT_MSG_DESTROYCHAIN is used to delete hooks in an
	12	existing netdev basechain, thus, only NFT_MSG_DELCHAIN is allowed.
	13
	14	Fixes: 7d937b107108f ("netfilter: nf_tables: support for deleting devices in an existing netdev chain")
	15	Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
	16	Signed-off-by: Sasha Levin <sashal@kernel.org>
	17	---
	18	net/netfilter/nf_tables_api.c \| 3 ++-
	19	1 file changed, 2 insertions(+), 1 deletion(-)
	20
	21	diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
	22	index f10419ba6e0bd..0653f1e5e8929 100644
	23	--- a/net/netfilter/nf_tables_api.c
	24	+++ b/net/netfilter/nf_tables_api.c
	25	@@ -2934,7 +2934,8 @@ static int nf_tables_delchain(struct sk_buff skb, const struct nfnl_info info,
	26	nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
	27
	28	if (nla[NFTA_CHAIN_HOOK]) {
	29	- if (chain->flags & NFT_CHAIN_HW_OFFLOAD)
	30	+ if (NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYCHAIN \|\|
	31	+ chain->flags & NFT_CHAIN_HW_OFFLOAD)
	32	return -EOPNOTSUPP;
	33
	34	if (nft_is_base_chain(chain)) {
	35	--
	36	2.43.0
	37