netfilter: nft_osf: usage from output path is not valid

The nft_osf extension, like xt_osf, is not supported from the output
path.

Fixes: b96af92d6eaf ("netfilter: nf_tables: implement Passive OS fingerprint module in nft_osf")
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/netfilter/nft_osf.c b/net/netfilter/nft_osf.c
index a35fb59ace7326324811a21704eb2932e2ca5a4c..df4e3e0412ed3654d6a846156ccc281f2cf5bffe 100644 (file)
--- a/net/netfilter/nft_osf.c
+++ b/net/netfilter/nft_osf.c
@@ -69,6 +69,15 @@ nla_put_failure:
        return -1;
 }
 
+static int nft_osf_validate(const struct nft_ctx *ctx,
+                           const struct nft_expr *expr,
+                           const struct nft_data **data)
+{
+       return nft_chain_validate_hooks(ctx->chain, (1 << NF_INET_LOCAL_IN) |
+                                                   (1 << NF_INET_PRE_ROUTING) |
+                                                   (1 << NF_INET_FORWARD));
+}
+
 static struct nft_expr_type nft_osf_type;
 static const struct nft_expr_ops nft_osf_op = {
        .eval           = nft_osf_eval,
@@ -76,6 +85,7 @@ static const struct nft_expr_ops nft_osf_op = {
        .init           = nft_osf_init,
        .dump           = nft_osf_dump,
        .type           = &nft_osf_type,
+       .validate       = nft_osf_validate,
 };
 
 static struct nft_expr_type nft_osf_type __read_mostly = {