netfilter: nf_tables: reject unbound chain set before commit phase

[platform/kernel/linux-rpi.git] / net / netfilter / nf_tables_api.c

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 66da44b..bab7924 100644 (file)
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -370,6 +370,11 @@ static void nft_trans_commit_list_add_tail(struct net *net, struct nft_trans *tr
                    nft_set_is_anonymous(nft_trans_set(trans)))
                        list_add_tail(&trans->binding_list, &nft_net->binding_list);
                break;
+       case NFT_MSG_NEWCHAIN:
+               if (!nft_trans_chain_update(trans) &&
+                   nft_chain_binding(nft_trans_chain(trans)))
+                       list_add_tail(&trans->binding_list, &nft_net->binding_list);
+               break;
        }
 
        list_add_tail(&trans->list, &nft_net->commit_list);
@@ -9501,6 +9506,14 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb)
                                return -EINVAL;
                        }
                        break;
+               case NFT_MSG_NEWCHAIN:
+                       if (!nft_trans_chain_update(trans) &&
+                           nft_chain_binding(nft_trans_chain(trans)) &&
+                           !nft_trans_chain_bound(trans)) {
+                               pr_warn_once("nftables ruleset with unbound chain\n");
+                               return -EINVAL;
+                       }
+                       break;
                }
        }