netfilter: nf_tables: reject unsupported chain flags

Bail out if userspace sends unsupported chain flags.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index e00b4ae6174e4066769dfe692d974a61f9c22009..42f351c1f5c5333c43a4abde25cb8c43ba277a5f 100644 (file)
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -189,6 +189,9 @@ enum nft_chain_flags {
        NFT_CHAIN_HW_OFFLOAD    = (1 << 1),
        NFT_CHAIN_BINDING       = (1 << 2),
 };
+#define NFT_CHAIN_FLAGS                (NFT_CHAIN_BASE         | \
+                                NFT_CHAIN_HW_OFFLOAD   | \
+                                NFT_CHAIN_BINDING)
 
 /**
  * enum nft_chain_attributes - nf_tables chain netlink attributes

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index b8a970dad213330f1e71a188fa475354f826102a..f96785586f641f0bb299f167d08f72fcf6785cd5 100644 (file)
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -2285,6 +2285,9 @@ static int nf_tables_newchain(struct net *net, struct sock *nlsk,
        else if (chain)
                flags = chain->flags;
 
+       if (flags & ~NFT_CHAIN_FLAGS)
+               return -EOPNOTSUPP;
+
        nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
 
        if (chain != NULL) {