git.proxmox.com Git - mirror_ubuntu-jammy-kernel.git/commit

author	Pablo Neira Ayuso <pablo@netfilter.org>
	Mon, 8 Aug 2022 17:30:07 +0000 (19:30 +0200)
committer	Stefan Bader <stefan.bader@canonical.com>
	Fri, 7 Oct 2022 08:39:25 +0000 (10:39 +0200)
commit	13af8fece429ce70695b00e427a4b78c3236a8e3
tree	167517940d0e3614ffbc0fef8fe6d8ac42065ad0	tree
parent	3274c8b94693018f2e8d242abbf1d9e605d4c7dd	commit \| diff

netfilter: nf_tables: disallow jump to implicit chain from set element

BugLink: https://bugs.launchpad.net/bugs/1991717
[ Upstream commit f323ef3a0d49e147365284bc1f02212e617b7f09 ]

Extend struct nft_data_desc to add a flag field that specifies
nft_data_init() is being called for set element data.

Use it to disallow jump to implicit chain from set element, only jump
to chain via immediate expression is allowed.

Fixes: d0e2c7de92c7 ("netfilter: nf_tables: add NFT_CHAIN_BINDING")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>

include/net/netfilter/nf_tables.h		diff \| blob \| blame \| history
net/netfilter/nf_tables_api.c		diff \| blob \| blame \| history