iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
11ff7288be
linux/net/bridge/netfilter
History
Florian Westphal 11ff7288be netfilter: ebtables: reject non-bridge targets 
the ebtables evaluation loop expects targets to return
positive values (jumps), or negative values (absolute verdicts).

This is completely different from what xtables does.
In xtables, targets are expected to return the standard netfilter
verdicts, i.e. NF_DROP, NF_ACCEPT, etc.

ebtables will consider these as jumps.

Therefore reject any target found due to unspec fallback.
v2: also reject watchers.  ebtables ignores their return value, so
a target that assumes skb ownership (and returns NF_STOLEN) causes
use-after-free.

The only watchers in the 'ebtables' front-end are log and nflog;
both have AF_BRIDGE specific wrappers on kernel side.

Reported-by: syzbot+2b43f681169a2a0d306a@syzkaller.appspotmail.com
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2018-06-06 15:04:04 +02:00
..
ebt_802_3.c netfilter: Convert FWINV<[foo]> macros and uses to NF_INVF 2016-07-03 10:55:07 +02:00
ebt_among.c netfilter: bridge: ebt_among: add more missing match size checks 2018-03-11 21:24:49 +01:00
ebt_arp.c netfilter: Convert FWINV<[foo]> macros and uses to NF_INVF 2016-07-03 10:55:07 +02:00
ebt_arpreply.c ebtables: arpreply: Add the standard target sanity check 2017-05-16 10:24:27 +02:00
ebt_dnat.c netfilter: ebt: Use new helper ebt_invalid_target to check target 2017-06-19 19:09:19 +02:00
ebt_ip6.c netfilter: ebtables: fix indent on if statements 2017-08-24 18:56:17 +02:00
ebt_ip.c netfilter: ebtables: add support for matching IGMP type 2018-03-20 17:24:10 +01:00
ebt_limit.c netfilter: bridge: use pr ratelimiting 2018-02-14 21:05:36 +01:00
ebt_log.c netfilter: Use pr_cont where appropriate 2017-03-06 18:00:48 +01:00
ebt_mark_m.c netfilter: xtables: deconstify struct xt_action_param for matches 2010-05-11 18:33:37 +02:00
ebt_mark.c netfilter: ebt: Use new helper ebt_invalid_target to check target 2017-06-19 19:09:19 +02:00
ebt_nflog.c netfilter: ebt_nflog: fix unexpected truncated packet 2017-06-29 18:47:02 +02:00
ebt_pkttype.c netfilter: xtables: deconstify struct xt_action_param for matches 2010-05-11 18:33:37 +02:00
ebt_redirect.c netfilter: ebt: Use new helper ebt_invalid_target to check target 2017-06-19 19:09:19 +02:00
ebt_snat.c netfilter: ebt: Use new helper ebt_invalid_target to check target 2017-06-19 19:09:19 +02:00
ebt_stp.c netfilter: bridge: stp fix reference to uninitialized data 2018-05-08 14:08:12 +02:00
ebt_vlan.c netfilter-bridge: use netdev style comments 2015-11-23 17:54:39 +01:00
ebtable_broute.c net: Drop pernet_operations::async 2018-03-27 13:18:09 -04:00
ebtable_filter.c net: Drop pernet_operations::async 2018-03-27 13:18:09 -04:00
ebtable_nat.c net: Drop pernet_operations::async 2018-03-27 13:18:09 -04:00
ebtables.c netfilter: ebtables: reject non-bridge targets 2018-06-06 15:04:04 +02:00
Kconfig netfilter: nf_tables: build-in filter chain type 2018-03-30 11:29:19 +02:00
Makefile netfilter: nf_tables: build-in filter chain type 2018-03-30 11:29:19 +02:00
nf_log_bridge.c net: Drop pernet_operations::async 2018-03-27 13:18:09 -04:00
nft_meta_bridge.c netfilter: Remove exceptional & on function name 2017-04-07 18:24:47 +02:00
nft_reject_bridge.c netfilter: nft_reject_bridge: fix skb allocation size in nft_reject_br_send_v6_unreach 2018-06-04 18:28:03 +02:00