netfilter: nft_tproxy: restrict to prerouting hook
TPROXY is only allowed from prerouting, but nft_tproxy doesn't check this.
This fixes a crash (null dereference) when using tproxy from e.g. output.
Fixes: 4ed8eb6570
("netfilter: nf_tables: Add native tproxy support")
Reported-by: Shell Chen <xierch@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
This commit is contained in:
parent
cf97769c76
commit
18bbc32133
|
@ -312,6 +312,13 @@ static int nft_tproxy_dump(struct sk_buff *skb,
|
|||
return 0;
|
||||
}
|
||||
|
||||
static int nft_tproxy_validate(const struct nft_ctx *ctx,
|
||||
const struct nft_expr *expr,
|
||||
const struct nft_data **data)
|
||||
{
|
||||
return nft_chain_validate_hooks(ctx->chain, 1 << NF_INET_PRE_ROUTING);
|
||||
}
|
||||
|
||||
static struct nft_expr_type nft_tproxy_type;
|
||||
static const struct nft_expr_ops nft_tproxy_ops = {
|
||||
.type = &nft_tproxy_type,
|
||||
|
@ -321,6 +328,7 @@ static const struct nft_expr_ops nft_tproxy_ops = {
|
|||
.destroy = nft_tproxy_destroy,
|
||||
.dump = nft_tproxy_dump,
|
||||
.reduce = NFT_REDUCE_READONLY,
|
||||
.validate = nft_tproxy_validate,
|
||||
};
|
||||
|
||||
static struct nft_expr_type nft_tproxy_type __read_mostly = {
|
||||
|
|
Loading…
Reference in New Issue