Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp608103ybl; Fri, 24 Jan 2020 06:21:49 -0800 (PST) X-Google-Smtp-Source: APXvYqxntTSZGISXYKYcUYQVe21Ih4DNaDeO9l2A9iN9JSWHOGDP+EVfIA7xhNEhpyOpcdIk87wU X-Received: by 2002:aca:5588:: with SMTP id j130mr2042099oib.122.1579875708733; Fri, 24 Jan 2020 06:21:48 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1579875708; cv=none; d=google.com; s=arc-20160816; b=QNq2wJN/jq4Z+ctPTLC6GuoaIwKxcymew/hIzvdWjsWiBIOMj5Fgi549jwQvHHSuJk 24hzYPBcGhaoBcCnUYdZBpSiM1pAa/SGkyV5+C8wt4fVU+H1qM92MHrUReT6MUYaSK76 9aADGmy9Wy9Y/JrBZw/wIdT4Eb31PWdIO/2+ModHDwoeu2fUZ6opycUm1GCab9EoCnfn EwbuwM4+8i9lVAQdbbME0n4sjJBcdP2hNn+Vg2Df5DYGsb+KF/pWgvz8bv80o7JS8BgQ U+G8ToGjXIDDqRjhZw7Fw9le0ewswA/GYJ0H7SQn4hySmP6AwI3bX3d925DfJpHzl7Oh fRMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=7OFDrfvmrpGOhBJ1aktHcpGA1Yuc/a9rX6oPgYX3fpA=; b=mUcMyxsX0U0O4oQVuF1DXbwInHLUa91UuYyMiESkK+aQnpg+4ukUpZGY6ShdwevY/L N+hN1w2PJCpyjsZf2Nul3chqVLoLKyL3snPj78z6XezZeenjxpqEyoiIBi0ims1lTvK7 uYm57BQZDhbPUyItzb/sLKIweyk+QXsY5ukQ8rVxBhq6vERmUZKfbID7TI1spxMIu5d6 VhMXTghvAzlqoSDnZZBNidH8EgFqyXuiGPh8FarsQRM+7iUXVLqKFyiHPelCgNjE9XGz a1923y1sCDtF4VuyzmMkkogknqP7bD/utsld6ryQr9O4dkGDlUghpBuc4ceMVhJSAuNp SEYQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=F1eUFNe7; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n137si2684827oig.127.2020.01.24.06.21.37; Fri, 24 Jan 2020 06:21:48 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=F1eUFNe7; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730923AbgAXLCM (ORCPT + 99 others); Fri, 24 Jan 2020 06:02:12 -0500 Received: from mail.kernel.org ([198.145.29.99]:35452 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1733088AbgAXLCJ (ORCPT ); Fri, 24 Jan 2020 06:02:09 -0500 Received: from localhost (ip-213-127-102-57.ip.prioritytelecom.net [213.127.102.57]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id B662A20838; Fri, 24 Jan 2020 11:02:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1579863728; bh=SJzxxMTqMPGD3zBxUOJbv6XUEQmgF34qgxz4zoDCeKI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=F1eUFNe7wk2sn6IxnuRhpkEpNWhNWCNR3rdLJucX9Da3dRKow5QBTFFEmUlWEAiXP Sd+k7AwWmJfewC7nAZddFHRt6YbLkDN8w1Uq3Q91NooS/C7q3GmgXCJq7aMp70Pzsb BY6cxBMLuLejw6bKYaxLiX67OZ+Y7+eFTuiCA69k= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Fernando Fernandez Mancera , Pablo Neira Ayuso , Sasha Levin Subject: [PATCH 4.19 049/639] netfilter: nft_osf: usage from output path is not valid Date: Fri, 24 Jan 2020 10:23:39 +0100 Message-Id: <20200124093053.554365367@linuxfoundation.org> X-Mailer: git-send-email 2.25.0 In-Reply-To: <20200124093047.008739095@linuxfoundation.org> References: <20200124093047.008739095@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Fernando Fernandez Mancera [ Upstream commit 4a3e71b7b7dbaf3562be9d508260935aa13cb48b ] The nft_osf extension, like xt_osf, is not supported from the output path. Fixes: b96af92d6eaf ("netfilter: nf_tables: implement Passive OS fingerprint module in nft_osf") Signed-off-by: Fernando Fernandez Mancera Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin --- net/netfilter/nft_osf.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/net/netfilter/nft_osf.c b/net/netfilter/nft_osf.c index a35fb59ace732..df4e3e0412ed3 100644 --- a/net/netfilter/nft_osf.c +++ b/net/netfilter/nft_osf.c @@ -69,6 +69,15 @@ nla_put_failure: return -1; } +static int nft_osf_validate(const struct nft_ctx *ctx, + const struct nft_expr *expr, + const struct nft_data **data) +{ + return nft_chain_validate_hooks(ctx->chain, (1 << NF_INET_LOCAL_IN) | + (1 << NF_INET_PRE_ROUTING) | + (1 << NF_INET_FORWARD)); +} + static struct nft_expr_type nft_osf_type; static const struct nft_expr_ops nft_osf_op = { .eval = nft_osf_eval, @@ -76,6 +85,7 @@ static const struct nft_expr_ops nft_osf_op = { .init = nft_osf_init, .dump = nft_osf_dump, .type = &nft_osf_type, + .validate = nft_osf_validate, }; static struct nft_expr_type nft_osf_type __read_mostly = { -- 2.20.1