Google Git
Sign in
kernel / pub / scm / linux / kernel / git / fwestphal / nf / refs/heads/xt_cluster_restrict
commitf3346fcfe397868fdb1467f4cb6be7900498e189[log] [tgz]
authorFlorian Westphal <fw@strlen.de>Thu Oct 03 19:34:40 2024 +0200
committerFlorian Westphal <fw@strlen.de>Thu Oct 03 19:40:40 2024 +0200
tree683ab1831c75de1c01639cd5b58159eddf561944
parent8beee4d8dee76b67c75dc91fd8185d91e845c160 [diff]
netfilter: xt_cluster: restrict to ip/ip6tables

Restrict this match to iptables/ip6tables.
syzbot managed to call it via ebtables:

 WARNING: CPU: 0 PID: 11 at net/netfilter/xt_cluster.c:72 xt_cluster_mt+0x196/0x780
 [..]
 ebt_do_table+0x174b/0x2a40

Module registers to NFPROTO_UNSPEC, but it assumes ipv4/ipv6 packet
processing.  As this is only useful to restrict locally terminating
TCP/UDP traffic, reject non-ip families at rule load time.

Fixes: 0269ea493734 ("netfilter: xtables: add cluster match")
Signed-off-by: Florian Westphal <fw@strlen.de>
1 file changed
tree: 683ab1831c75de1c01639cd5b58159eddf561944
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. fs/
  8. include/
  9. init/
  10. io_uring/
  11. ipc/
  12. kernel/
  13. lib/
  14. LICENSES/
  15. mm/
  16. net/
  17. rust/
  18. samples/
  19. scripts/
  20. security/
  21. sound/
  22. tools/
  23. usr/
  24. virt/
  25. .clang-format
  26. .cocciconfig
  27. .editorconfig
  28. .get_maintainer.ignore
  29. .gitattributes
  30. .gitignore
  31. .mailmap
  32. .rustfmt.toml
  33. COPYING
  34. CREDITS
  35. Kbuild
  36. Kconfig
  37. MAINTAINERS
  38. Makefile
  39. README