netfilter: nf_tables: Reject tables of unsupported family

pvts-mat · PlaidCat · commit 8c46207b039c · 2025-08-04T11:46:56.000-04:00
jira VULN-7622 cve CVE-2023-6040 commit-author Phil Sutter <phil@nwl.cc> commit f1082dd upstream-diff | 1. The `CONFIG_NF_TABLES_NETDEV' case removed because that option is not even available in the `ciqcbr7_9' yet. 2. All table type CONFIGs wrapped in `IS_ENABLED(...)' macro instead of just `CONFIG_NF_TABLES_BRIDGE' because all of them are of type "tristate" in `ciqcbr7_9', unlike in the newer kernels where they are "bool" and a simple #ifdef is sufficient. An nftables family is merely a hollow container, its family just a number and such not reliant on compile-time options other than nftables support itself. Add an artificial check so attempts at using a family the kernel can't support fail as early as possible. This helps user space detect kernels which lack e.g. NFPROTO_INET. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> (cherry picked from commit f1082dd) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
@@ -702,6 +702,27 @@ static int nf_tables_updtable(struct nft_ctx *ctx)
 	return ret;
 }
 
+static bool nft_supported_family(u8 family)
+{
+	return false
+#if IS_ENABLED(CONFIG_NF_TABLES_INET)
+		|| family == NFPROTO_INET
+#endif
+#if IS_ENABLED(CONFIG_NF_TABLES_IPV4)
+		|| family == NFPROTO_IPV4
+#endif
+#if IS_ENABLED(CONFIG_NF_TABLES_ARP)
+		|| family == NFPROTO_ARP
+#endif
+#if IS_ENABLED(CONFIG_NF_TABLES_BRIDGE)
+		|| family == NFPROTO_BRIDGE
+#endif
+#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
+		|| family == NFPROTO_IPV6
+#endif
+		;
+}
+
 static int nf_tables_newtable(struct net *net, struct sock *nlsk,
 			      struct sk_buff *skb, const struct nlmsghdr *nlh,
 			      const struct nlattr * const nla[])
@@ -715,6 +736,9 @@ static int nf_tables_newtable(struct net *net, struct sock *nlsk,
 	struct nft_ctx ctx;
 	int err;
 
+	if (!nft_supported_family(family))
+		return -EOPNOTSUPP;
+
 	afi = nf_tables_afinfo_lookup(net, family, true);
 	if (IS_ERR(afi))
 		return PTR_ERR(afi);
