netfilter: disallow bpf hook attachment at same priority
authorFlorian Westphal <fw@strlen.de>
Fri, 21 Apr 2023 17:02:57 +0000 (19:02 +0200)
committerAlexei Starovoitov <ast@kernel.org>
Fri, 21 Apr 2023 18:34:14 +0000 (11:34 -0700)
This is just to avoid ordering issues between multiple bpf programs,
this could be removed later in case it turns out to be too cautious.

bpf prog could still be shared with non-bpf hook, otherwise we'd have to
make conntrack hook registration fail just because a bpf program has
same priority.

Signed-off-by: Florian Westphal <fw@strlen.de>
Link: https://lore.kernel.org/r/20230421170300.24115-5-fw@strlen.de
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
net/netfilter/core.c

index 358220b585215109ead54f198589bc4ae92f2d3d..f0783e42108bab59cbf59e4296898ed3bffaf44c 100644 (file)
@@ -119,6 +119,18 @@ nf_hook_entries_grow(const struct nf_hook_entries *old,
                for (i = 0; i < old_entries; i++) {
                        if (orig_ops[i] != &dummy_ops)
                                alloc_entries++;
+
+                       /* Restrict BPF hook type to force a unique priority, not
+                        * shared at attach time.
+                        *
+                        * This is mainly to avoid ordering issues between two
+                        * different bpf programs, this doesn't prevent a normal
+                        * hook at same priority as a bpf one (we don't want to
+                        * prevent defrag, conntrack, iptables etc from attaching).
+                        */
+                       if (reg->priority == orig_ops[i]->priority &&
+                           reg->hook_ops_type == NF_HOOK_OP_BPF)
+                               return ERR_PTR(-EBUSY);
                }
        }