• Pablo Neira Ayuso's avatar
    netfilter: nf_tables: fix chain dependency validation · a654de8f
    Pablo Neira Ayuso authored
    The following ruleset:
    
     add table ip filter
     add chain ip filter input { type filter hook input priority 4; }
     add chain ip filter ap
     add rule ip filter input jump ap
     add rule ip filter ap masquerade
    
    results in a panic, because the masquerade extension should be rejected
    from the filter chain. The existing validation is missing a chain
    dependency check when the rule is added to the non-base chain.
    
    This patch fixes the problem by walking down the rules from the
    basechains, searching for either immediate or lookup expressions, then
    jumping to non-base chains and again walking down the rules to perform
    the expression validation, so we make sure the full ruleset graph is
    validated. This is done only once from the commit phase, in case of
    problem, we abort the transaction and perform fine grain validation for
    error reporting. This patch requires 00308791 ("netfilter:
    nfnetlink: allow commit to fail") to achieve this behaviour.
    
    This patch also adds a cleanup callback to nfnl batch interface to reset
    the validate state from the exit path.
    
    As a result of this patch, nf_tables_check_loops() doesn't use
    ->validate to check for loops, instead it just checks for immediate
    expressions.
    Reported-by: default avatarTaehee Yoo <ap420073@gmail.com>
    Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
    a654de8f
nftables.h 275 Bytes