Skip to content

Commit

Permalink
netfilter: nft_tproxy: restrict to prerouting hook
Browse files Browse the repository at this point in the history
TPROXY is only allowed from prerouting, but nft_tproxy doesn't check this.
This fixes a crash (null dereference) when using tproxy from e.g. output.

Fixes: 4ed8eb6 ("netfilter: nf_tables: Add native tproxy support")
Reported-by: Shell Chen <xierch@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
  • Loading branch information
Florian Westphal committed Aug 23, 2022
1 parent cf97769 commit 18bbc32
Showing 1 changed file with 8 additions and 0 deletions.
8 changes: 8 additions & 0 deletions net/netfilter/nft_tproxy.c
Original file line number Diff line number Diff line change
Expand Up @@ -312,6 +312,13 @@ static int nft_tproxy_dump(struct sk_buff *skb,
return 0;
}

static int nft_tproxy_validate(const struct nft_ctx *ctx,
const struct nft_expr *expr,
const struct nft_data **data)
{
return nft_chain_validate_hooks(ctx->chain, 1 << NF_INET_PRE_ROUTING);
}

static struct nft_expr_type nft_tproxy_type;
static const struct nft_expr_ops nft_tproxy_ops = {
.type = &nft_tproxy_type,
Expand All @@ -321,6 +328,7 @@ static const struct nft_expr_ops nft_tproxy_ops = {
.destroy = nft_tproxy_destroy,
.dump = nft_tproxy_dump,
.reduce = NFT_REDUCE_READONLY,
.validate = nft_tproxy_validate,
};

static struct nft_expr_type nft_tproxy_type __read_mostly = {
Expand Down

0 comments on commit 18bbc32

Please sign in to comment.