netfilter: nf_tables: restrict tunnel object to NFPROTO_NETDEV

[ Upstream commit 776d451648443f9884be4a1b4e38e8faf1c621f9 ] Bail out on using the tunnel dst template from other than netdev family. Add the infrastructure to check for the family in objects. Fixes: af308b94a2a4 ("netfilter: nf_tables: add tunnel support") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2024-01-24 01:45:32 +0300
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2024-02-05 23:13:01 +0300
commit: 67f0ca0a4c85a0d067fac287d508e598c1c0a4be (patch)
tree: 6ab89e3438df7022dab0c306f38cc2ff1ba1c7d0 /include
parent: 8a51dbf7b72c202e822c772452672be04f0c788d (diff)
download: linux-67f0ca0a4c85a0d067fac287d508e598c1c0a4be.tar.xz
1 files changed, 2 insertions, 0 deletions
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index c726da3b7d68..2fa344cb66f6 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -1286,6 +1286,7 @@ void nft_obj_notify(struct net *net, const struct nft_table *table,
  *	@type: stateful object numeric type
  *	@owner: module owner
  *	@maxattr: maximum netlink attribute
+ *	@family: address family for AF-specific object types
  *	@policy: netlink attribute policy
  */
 struct nft_object_type {
@@ -1295,6 +1296,7 @@ struct nft_object_type {
 	struct list_head		list;
 	u32				type;
 	unsigned int                    maxattr;
+	u8				family;
 	struct module			*owner;
 	const struct nla_policy		*policy;
 };
author	Pablo Neira Ayuso <pablo@netfilter.org>	2024-01-24 01:45:32 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2024-02-05 23:13:01 +0300
commit	67f0ca0a4c85a0d067fac287d508e598c1c0a4be (patch)
tree	6ab89e3438df7022dab0c306f38cc2ff1ba1c7d0 /include
parent	8a51dbf7b72c202e822c772452672be04f0c788d (diff)
download	linux-67f0ca0a4c85a0d067fac287d508e598c1c0a4be.tar.xz