aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
authorFlorian Westphal <fw@strlen.de>2026-06-18 08:16:18 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2026-06-21 00:18:26 +0200
commitbff1c8b49a9cb5c04af20f4e7d43bf4af5863bc6 (patch)
tree9148f22e6235d9c2bba5b08cb66a94288ba69b67 /include
parent213be32f46a29ca15a314df06c3424ecffd6c90a (diff)
downloadath-bff1c8b49a9cb5c04af20f4e7d43bf4af5863bc6.tar.gz
netfilter: nft_meta_bridge: add validate callback for get operations
Blamed commit added NFT_META_BRI_IIFHWADDR to the set validate callback, yet this is a get operation. Add a get validate callback and move the NFT_META_BRI_IIFHWADDR key there. AFAICS this is harmless, NFT_META_BRI_IIFHWADDR can deal with a NULL input device and the set handler ignores a NFT_META_BRI_IIFHWADDR operation, but it allows to read 4 bytes off bridge skb->cb[]. Fixes: cbd2257dc96e ("netfilter: nft_meta_bridge: introduce NFT_META_BRI_IIFHWADDR support") Signed-off-by: Florian Westphal <fw@strlen.de> Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include')
-rw-r--r--include/net/netfilter/nft_meta.h2
1 files changed, 2 insertions, 0 deletions
diff --git a/include/net/netfilter/nft_meta.h b/include/net/netfilter/nft_meta.h
index f74e63290603d..6cf1d910bbf8d 100644
--- a/include/net/netfilter/nft_meta.h
+++ b/include/net/netfilter/nft_meta.h
@@ -40,6 +40,8 @@ void nft_meta_set_eval(const struct nft_expr *expr,
void nft_meta_set_destroy(const struct nft_ctx *ctx,
const struct nft_expr *expr);
+int nft_meta_get_validate(const struct nft_ctx *ctx,
+ const struct nft_expr *expr);
int nft_meta_set_validate(const struct nft_ctx *ctx,
const struct nft_expr *expr);