netfilter: nft_reject: restrict to INPUT/FORWARD/OUTPUT
After I add the nft rule "nft add rule filter prerouting reject
with tcp reset", kernel panic happened on my system:
NULL pointer dereference at ...
IP: [<
ffffffff81b9db2f>] nf_send_reset+0xaf/0x400
Call Trace:
[<
ffffffff81b9da80>] ? nf_reject_ip_tcphdr_get+0x160/0x160
[<
ffffffffa0928061>] nft_reject_ipv4_eval+0x61/0xb0 [nft_reject_ipv4]
[<
ffffffffa08e836a>] nft_do_chain+0x1fa/0x890 [nf_tables]
[<
ffffffffa08e8170>] ? __nft_trace_packet+0x170/0x170 [nf_tables]
[<
ffffffffa06e0900>] ? nf_ct_invert_tuple+0xb0/0xc0 [nf_conntrack]
[<
ffffffffa07224d4>] ? nf_nat_setup_info+0x5d4/0x650 [nf_nat]
[...]
Because in the PREROUTING chain, routing information is not exist,
then we will dereference the NULL pointer and oops happen.
So we restrict reject expression to INPUT, FORWARD and OUTPUT chain.
This is consistent with iptables REJECT target.
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>