UPSTREAM: netfilter: nf_tables: disallow rule removal from chain binding
[ Upstream commit f15f29fd ] Chain binding only requires the rule addition/insertion command within the same transaction. Removal of rules from chain bindings within the same transaction makes no sense, userspace does not utilize this feature. Replace nft_chain_is_bound() check to nft_chain_binding() in rule deletion commands. Replace command implies a rule deletion, reject this command too. Rule flush command can also safely rely on this nft_chain_binding() check because unbound chains are not allowed since 62e1e94b ("netfilter: nf_tables: reject unbound chain set before commit phase"). Bug: 302085977 Fixes: d0e2c7de ("netfilter: nf_tables: add NFT_CHAIN_BINDING") Reported-by:Kevin Rich <kevinrich1337@gmail.com> Signed-off-by:
Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by:
Sasha Levin <sashal@kernel.org> (cherry picked from commit 9af8bb2a) Signed-off-by:
Lee Jones <joneslee@google.com> Change-Id: I8b05dc37062824db4c2901000fdf701b38605d32
Loading
Please sign in to comment