On Fri, Jan 12, 2024 at 04:54:35AM +0300, Cengiz Can wrote:
From: Phil Sutter phil@nwl.cc
commit f1082dd31fe461d482d69da2a8eccfeb7bf07ac2 upstream.
An nftables family is merely a hollow container, its family just a number and such not reliant on compile-time options other than nftables support itself. Add an artificial check so attempts at using a family the kernel can't support fail as early as possible. This helps user space detect kernels which lack e.g. NFPROTO_INET.
Signed-off-by: Phil Sutter phil@nwl.cc Signed-off-by: Pablo Neira Ayuso pablo@netfilter.org Signed-off-by: Cengiz Can cengiz.can@canonical.com
net/netfilter/nf_tables_api.c | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+)
Any specific reason you sent this to us for inclusion _AFTER_ you posted to oss-security, notifying the world of the issue?
Anyway, I have queued them up already from that report, and just now got to these patches in my queue, making me a little bit less grumpy, but not a lot. Please be more considerate next time.
greg k-h