netfilter: nf_tables: restrict tunnel object to NFPROTO_NETDEV

[ Upstream commit 776d451648443f9884be4a1b4e38e8faf1c621f9 ] Bail out on using the tunnel dst template from other than netdev family. Add the infrastructure to check for the family in objects. Fixes: af308b94a2a4 ("netfilter: nf_tables: add tunnel support") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2024-01-24 01:45:32 +0300
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2024-02-05 23:14:36 +0300
commit: ce76746a1cd281dc49b8faaf4afe742efe01dd3b (patch)
tree: 55dac6c3d115f4ab077398063cd18776685e12ba /include
parent: 6edc89300b319bdf73fc794d158511ce5bccd30a (diff)
download: linux-ce76746a1cd281dc49b8faaf4afe742efe01dd3b.tar.xz
1 files changed, 2 insertions, 0 deletions
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 75972e211ba1..5bb8a83e2604 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -1307,6 +1307,7 @@ void nft_obj_notify(struct net *net, const struct nft_table *table,
  *	@type: stateful object numeric type
  *	@owner: module owner
  *	@maxattr: maximum netlink attribute
+ *	@family: address family for AF-specific object types
  *	@policy: netlink attribute policy
  */
 struct nft_object_type {
@@ -1316,6 +1317,7 @@ struct nft_object_type {
 	struct list_head		list;
 	u32				type;
 	unsigned int                    maxattr;
+	u8				family;
 	struct module			*owner;
 	const struct nla_policy		*policy;
 };
author	Pablo Neira Ayuso <pablo@netfilter.org>	2024-01-24 01:45:32 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2024-02-05 23:14:36 +0300
commit	ce76746a1cd281dc49b8faaf4afe742efe01dd3b (patch)
tree	55dac6c3d115f4ab077398063cd18776685e12ba /include
parent	6edc89300b319bdf73fc794d158511ce5bccd30a (diff)
download	linux-ce76746a1cd281dc49b8faaf4afe742efe01dd3b.tar.xz