netfilter: nft_meta_bridge: add validate callback for get operations

author Florian Westphal <fw@strlen.de>

Thu, 18 Jun 2026 06:16:18 +0000 (08:16 +0200)

committer Pablo Neira Ayuso <pablo@netfilter.org>

Sat, 20 Jun 2026 22:18:26 +0000 (00:18 +0200)
author Florian Westphal <fw@strlen.de>
Thu, 18 Jun 2026 06:16:18 +0000 (08:16 +0200)
committer Pablo Neira Ayuso <pablo@netfilter.org>
Sat, 20 Jun 2026 22:18:26 +0000 (00:18 +0200)
diff --git a/include/net/netfilter/nft_meta.h b/include/net/netfilter/nft_meta.h

index f74e63290603d9a9ddd4d2edbfb510ec6826c177..6cf1d910bbf8da05e9a1b174279f59feab684696 100644 (file)
--- a/include/net/netfilter/nft_meta.h
+++ b/include/net/netfilter/nft_meta.h
@@ -40,6 +40,8 @@ void nft_meta_set_eval(const struct nft_expr *expr,
  void nft_meta_set_destroy(const struct nft_ctx *ctx,
                           const struct nft_expr *expr);
  
+int nft_meta_get_validate(const struct nft_ctx *ctx,
+                         const struct nft_expr *expr);
  int nft_meta_set_validate(const struct nft_ctx *ctx,
                           const struct nft_expr *expr);
  
diff --git a/net/bridge/netfilter/nft_meta_bridge.c b/net/bridge/netfilter/nft_meta_bridge.c

index 219c4068026026e308df9020236fdaffe4872c7b..3d95f68e0906abf5cc83dddad274ddfd54ff8179 100644 (file)
--- a/net/bridge/netfilter/nft_meta_bridge.c
+++ b/net/bridge/netfilter/nft_meta_bridge.c
@@ -107,12 +107,30 @@ static int nft_meta_bridge_get_init(const struct nft_ctx *ctx,
                                         NULL, NFT_DATA_VALUE, len);
  }
  
+static int nft_meta_bridge_get_validate(const struct nft_ctx *ctx,
+                                       const struct nft_expr *expr)
+{
+       struct nft_meta *priv = nft_expr_priv(expr);
+       unsigned int hooks;
+
+       switch (priv->key) {
+       case NFT_META_BRI_IIFHWADDR:
+               hooks = 1 << NF_BR_PRE_ROUTING;
+               break;
+       default:
+               return nft_meta_get_validate(ctx, expr);
+       }
+
+       return nft_chain_validate_hooks(ctx->chain, hooks);
+}
+
  static struct nft_expr_type nft_meta_bridge_type;
  static const struct nft_expr_ops nft_meta_bridge_get_ops = {
         .type           = &nft_meta_bridge_type,
         .size           = NFT_EXPR_SIZE(sizeof(struct nft_meta)),
         .eval           = nft_meta_bridge_get_eval,
         .init           = nft_meta_bridge_get_init,
+       .validate       = nft_meta_bridge_get_validate,
         .dump           = nft_meta_get_dump,
  };
  
@@ -168,7 +186,6 @@ static int nft_meta_bridge_set_validate(const struct nft_ctx *ctx,
  
         switch (priv->key) {
         case NFT_META_BRI_BROUTE:
-       case NFT_META_BRI_IIFHWADDR:
                 hooks = 1 << NF_BR_PRE_ROUTING;
                 break;
         default:
diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c

index 9b5821c644426dcc7a0e1723c49083a745fbbd2c..0a43e0787a688810f6105cffb659a7981a0f339c 100644 (file)
--- a/net/netfilter/nft_meta.c
+++ b/net/netfilter/nft_meta.c
@@ -635,8 +635,8 @@ static int nft_meta_get_validate_xfrm(const struct nft_ctx *ctx)
  #endif
  }
  
-static int nft_meta_get_validate(const struct nft_ctx *ctx,
-                                const struct nft_expr *expr)
+int nft_meta_get_validate(const struct nft_ctx *ctx,
+                         const struct nft_expr *expr)
  {
         const struct nft_meta *priv = nft_expr_priv(expr);
  
@@ -652,6 +652,7 @@ static int nft_meta_get_validate(const struct nft_ctx *ctx,
  
         return 0;
  }
+EXPORT_SYMBOL_GPL(nft_meta_get_validate);
  
  int nft_meta_set_validate(const struct nft_ctx *ctx,
                           const struct nft_expr *expr)
author	Florian Westphal <fw@strlen.de>
	Thu, 18 Jun 2026 06:16:18 +0000 (08:16 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Sat, 20 Jun 2026 22:18:26 +0000 (00:18 +0200)
include/net/netfilter/nft_meta.h		patch \| blob \| blame \| history
net/bridge/netfilter/nft_meta_bridge.c		patch \| blob \| blame \| history
net/netfilter/nft_meta.c		patch \| blob \| blame \| history