[NETFILTER] nfnetlink: unconditionally require CAP_NET_ADMIN

{

	int (*call)(struct sock *nl, struct sk_buff *skb, 

		struct nlmsghdr *nlh, struct nfattr *cda[], int *errp);

	kernel_cap_t cap_required; /* capabilities required for this msg */

	u_int16_t attr_count;	/* number of nfattr's */

};

static struct nfnl_callback ctnl_cb[IPCTNL_MSG_MAX] = {

	[IPCTNL_MSG_CT_NEW]		= { .call = ctnetlink_new_conntrack,

					    .attr_count = CTA_MAX,

					    .cap_required = CAP_NET_ADMIN },

					    .attr_count = CTA_MAX, },

	[IPCTNL_MSG_CT_GET] 		= { .call = ctnetlink_get_conntrack,

					    .attr_count = CTA_MAX,

					    .cap_required = CAP_NET_ADMIN },

					    .attr_count = CTA_MAX, },

	[IPCTNL_MSG_CT_DELETE]  	= { .call = ctnetlink_del_conntrack,

					    .attr_count = CTA_MAX,

					    .cap_required = CAP_NET_ADMIN },

					    .attr_count = CTA_MAX, },

	[IPCTNL_MSG_CT_GET_CTRZERO] 	= { .call = ctnetlink_get_conntrack,

					    .attr_count = CTA_MAX,

					    .cap_required = CAP_NET_ADMIN },

					    .attr_count = CTA_MAX, },

};

static struct nfnl_callback ctnl_exp_cb[IPCTNL_MSG_EXP_MAX] = {

	[IPCTNL_MSG_EXP_GET]		= { .call = ctnetlink_get_expect,

					    .attr_count = CTA_EXPECT_MAX,

					    .cap_required = CAP_NET_ADMIN },

					    .attr_count = CTA_EXPECT_MAX, },

	[IPCTNL_MSG_EXP_NEW]		= { .call = ctnetlink_new_expect,

					    .attr_count = CTA_EXPECT_MAX,

					    .cap_required = CAP_NET_ADMIN },

					    .attr_count = CTA_EXPECT_MAX, },

	[IPCTNL_MSG_EXP_DELETE]		= { .call = ctnetlink_del_expect,

					    .attr_count = CTA_EXPECT_MAX,

					    .cap_required = CAP_NET_ADMIN },

					    .attr_count = CTA_EXPECT_MAX, },

};

static struct nfnetlink_subsystem ctnl_subsys = {

		 NFNL_SUBSYS_ID(nlh->nlmsg_type),

		 NFNL_MSG_TYPE(nlh->nlmsg_type));

	if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN)) {

		DEBUGP("missing CAP_NET_ADMIN\n");

		*errp = -EPERM;

		return -1;

	}

	/* Only requests are handled by kernel now. */

	if (!(nlh->nlmsg_flags & NLM_F_REQUEST)) {

		DEBUGP("received non-request message\n");

	ss = nfnetlink_get_subsys(type);

	if (!ss) {

#ifdef CONFIG_KMOD

		if (cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN)) {

		/* don't call nfnl_shunlock, since it would reenter

		 * with further packet processing */

		up(&nfnl_sem);

			request_module("nfnetlink-subsys-%d",

					NFNL_SUBSYS_ID(type));

		request_module("nfnetlink-subsys-%d", NFNL_SUBSYS_ID(type));

		nfnl_shlock();

		ss = nfnetlink_get_subsys(type);

		}

		if (!ss)

#endif

			goto err_inval;

		goto err_inval;

	}

	if (nc->cap_required && 

	    !cap_raised(NETLINK_CB(skb).eff_cap, nc->cap_required)) {

		DEBUGP("permission denied for type %d\n", type);

		*errp = -EPERM;

		return -1;

	}

	{

		u_int16_t attr_count = 

			ss->cb[NFNL_MSG_TYPE(nlh->nlmsg_type)].attr_count;

static struct nfnl_callback nfulnl_cb[NFULNL_MSG_MAX] = {

	[NFULNL_MSG_PACKET]	= { .call = nfulnl_recv_unsupp,

				    .attr_count = NFULA_MAX,

				    .cap_required = CAP_NET_ADMIN, },

				    .attr_count = NFULA_MAX, },

	[NFULNL_MSG_CONFIG]	= { .call = nfulnl_recv_config,

				    .attr_count = NFULA_CFG_MAX,

				    .cap_required = CAP_NET_ADMIN },

				    .attr_count = NFULA_CFG_MAX, },

};

static struct nfnetlink_subsystem nfulnl_subsys = {

static struct nfnl_callback nfqnl_cb[NFQNL_MSG_MAX] = {

	[NFQNL_MSG_PACKET]	= { .call = nfqnl_recv_unsupp,

				    .attr_count = NFQA_MAX,

				    .cap_required = CAP_NET_ADMIN },

				    .attr_count = NFQA_MAX, },

	[NFQNL_MSG_VERDICT]	= { .call = nfqnl_recv_verdict,

				    .attr_count = NFQA_MAX,

				    .cap_required = CAP_NET_ADMIN },

				    .attr_count = NFQA_MAX, },

	[NFQNL_MSG_CONFIG]	= { .call = nfqnl_recv_config,

				    .attr_count = NFQA_CFG_MAX,

				    .cap_required = CAP_NET_ADMIN },

				    .attr_count = NFQA_CFG_MAX, },

};

static struct nfnetlink_subsystem nfqnl_subsys = {