netfilter: nf_tables: Reject tables of unsupported family

PlaidCat · PlaidCat · commit 56c0f676c887 · 2025-06-06T13:30:50.000-04:00
jira LE-3201 cve CVE-2023-6040 Rebuild_History Non-Buildable kernel-rt-4.18.0-553.22.1.rt7.363.el8_10 commit-author Phil Sutter <phil@nwl.cc> commit f1082dd Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-rt-4.18.0-553.22.1.rt7.363.el8_10/f1082dd3.failed An nftables family is merely a hollow container, its family just a number and such not reliant on compile-time options other than nftables support itself. Add an artificial check so attempts at using a family the kernel can't support fail as early as possible. This helps user space detect kernels which lack e.g. NFPROTO_INET. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> (cherry picked from commit f1082dd) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # net/netfilter/nf_tables_api.c
diff --git a/ciq/ciq_backports/kernel-rt-4.18.0-553.22.1.rt7.363.el8_10/f1082dd3.failed b/ciq/ciq_backports/kernel-rt-4.18.0-553.22.1.rt7.363.el8_10/f1082dd3.failed
@@ -0,0 +1,97 @@
+netfilter: nf_tables: Reject tables of unsupported family
+
+jira LE-3201
+cve CVE-2023-6040
+Rebuild_History Non-Buildable kernel-rt-4.18.0-553.22.1.rt7.363.el8_10
+commit-author Phil Sutter <phil@nwl.cc>
+commit f1082dd31fe461d482d69da2a8eccfeb7bf07ac2
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-rt-4.18.0-553.22.1.rt7.363.el8_10/f1082dd3.failed
+
+An nftables family is merely a hollow container, its family just a
+number and such not reliant on compile-time options other than nftables
+support itself. Add an artificial check so attempts at using a family
+the kernel can't support fail as early as possible. This helps user
+space detect kernels which lack e.g. NFPROTO_INET.
+
+	Signed-off-by: Phil Sutter <phil@nwl.cc>
+	Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+(cherry picked from commit f1082dd31fe461d482d69da2a8eccfeb7bf07ac2)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	net/netfilter/nf_tables_api.c
+diff --cc net/netfilter/nf_tables_api.c
+index de9460cb3c8a,3168ad8cffd1..000000000000
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@@ -1077,23 -1072,51 +1077,59 @@@ static int nft_objname_hash_cmp(struct 
+  	return strcmp(obj->key.name, k->name);
+  }
+  
+++<<<<<<< HEAD
+ +static int nf_tables_newtable(struct net *net, struct sock *nlsk,
+ +			      struct sk_buff *skb, const struct nlmsghdr *nlh,
+ +			      const struct nlattr * const nla[],
+ +			      struct netlink_ext_ack *extack)
+++=======
++ static bool nft_supported_family(u8 family)
++ {
++ 	return false
++ #ifdef CONFIG_NF_TABLES_INET
++ 		|| family == NFPROTO_INET
++ #endif
++ #ifdef CONFIG_NF_TABLES_IPV4
++ 		|| family == NFPROTO_IPV4
++ #endif
++ #ifdef CONFIG_NF_TABLES_ARP
++ 		|| family == NFPROTO_ARP
++ #endif
++ #ifdef CONFIG_NF_TABLES_NETDEV
++ 		|| family == NFPROTO_NETDEV
++ #endif
++ #if IS_ENABLED(CONFIG_NF_TABLES_BRIDGE)
++ 		|| family == NFPROTO_BRIDGE
++ #endif
++ #ifdef CONFIG_NF_TABLES_IPV6
++ 		|| family == NFPROTO_IPV6
++ #endif
++ 		;
++ }
++ 
++ static int nf_tables_newtable(struct sk_buff *skb, const struct nfnl_info *info,
++ 			      const struct nlattr * const nla[])
+++>>>>>>> f1082dd31fe4 (netfilter: nf_tables: Reject tables of unsupported family)
+  {
+ -	struct nftables_pernet *nft_net = nft_pernet(info->net);
+ -	struct netlink_ext_ack *extack = info->extack;
+ -	u8 genmask = nft_genmask_next(info->net);
+ -	u8 family = info->nfmsg->nfgen_family;
+ -	struct net *net = info->net;
+ +	const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
+ +	u8 genmask = nft_genmask_next(net);
+ +	int family = nfmsg->nfgen_family;
+  	const struct nlattr *attr;
+  	struct nft_table *table;
+ -	struct nft_ctx ctx;
+  	u32 flags = 0;
+ +	struct nft_ctx ctx;
+  	int err;
+  
+++<<<<<<< HEAD
+ +	lockdep_assert_held(&net->nft_commit_mutex);
+++=======
++ 	if (!nft_supported_family(family))
++ 		return -EOPNOTSUPP;
++ 
++ 	lockdep_assert_held(&nft_net->commit_mutex);
+++>>>>>>> f1082dd31fe4 (netfilter: nf_tables: Reject tables of unsupported family)
+  	attr = nla[NFTA_TABLE_NAME];
+ -	table = nft_table_lookup(net, attr, family, genmask,
+ -				 NETLINK_CB(skb).portid);
+ +	table = nft_table_lookup(net, attr, family, genmask);
+  	if (IS_ERR(table)) {
+  		if (PTR_ERR(table) != -ENOENT)
+  			return PTR_ERR(table);
+* Unmerged path net/netfilter/nf_tables_api.c
