[PATCH nf,v1] netfilter: nf_tables: perform type checking for existing sets

[PATCH nf,v1] netfilter: nf_tables: perform type checking for existing sets

[Pablo Neira Ayuso]

If a ruleset declares a set name that matches an existing set in the
kernel, then validate that this declaration really refers to the same
set, otherwise bail out with EEXIST.

Currently, the kernel reports success when adding a set that already
exists in the kernel. This usually results in EINVAL errors at a later
stage, when the user adds elements to the set, if the set declaration
mismatches the existing set representation in the kernel.

Add a new function to check that the set declaration really refers to
the same existing set in the kernel.

Fixes: 96518518cc41 ("netfilter: add nftables")
Reported-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
I plan to post a v2, there is still a number of fields that are not yet
validated.

 net/netfilter/nf_tables_api.c | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 832b881f7c17..6b8cfdec4abd 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -4389,6 +4389,28 @@ static int nf_tables_set_desc_parse(struct nft_set_desc *desc,
 	return err;
 }
 
+static bool nft_set_is_same(const struct nft_set *set,
+			    const struct nft_set_desc *desc,
+			    u32 ktype, u32 dtype, u32 objtype, u32 flags)
+{
+	int i;
+
+	if (set->ktype != ktype ||
+	    set->dtype != dtype ||
+	    set->flags != flags ||
+	    set->klen != desc->klen ||
+	    set->dlen != desc->dlen ||
+	    set->field_count != desc->field_count)
+		return false;
+
+	for (i = 0; i < desc->field_count; i++) {
+		if (set->field_len[i] != desc->field_len[i])
+			return false;
+	}
+
+	return true;
+}
+
 static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
 			    const struct nlattr * const nla[])
 {
@@ -4538,6 +4560,11 @@ static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
 		if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
 			return -EOPNOTSUPP;
 
+		if (!nft_set_is_same(set, &desc, ktype, dtype, objtype, flags)) {
+			NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
+			return -EEXIST;
+		}
+
 		return 0;
 	}
 
-- 
2.30.2

Re: [PATCH nf,v1] netfilter: nf_tables: perform type checking for existing sets

[Florian Westphal]

Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> If a ruleset declares a set name that matches an existing set in the
> kernel, then validate that this declaration really refers to the same
> set, otherwise bail out with EEXIST.
> 
> Currently, the kernel reports success when adding a set that already
> exists in the kernel. This usually results in EINVAL errors at a later
> stage, when the user adds elements to the set, if the set declaration
> mismatches the existing set representation in the kernel.
> 
> Add a new function to check that the set declaration really refers to
> the same existing set in the kernel.
> 
> Fixes: 96518518cc41 ("netfilter: add nftables")
> Reported-by: Florian Westphal <fw@strlen.de>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> ---
> I plan to post a v2, there is still a number of fields that are not yet
> validated.

Thanks.  It would also be good to permit 're-add' to change
e.g. the timeout value associated with the set (if klen/dlen etc. are
equal).