redonkable
/
alistair23-linux
1
0
Fork 0
Code Releases Activity

netfilter: nft_dynset: report EOPNOTSUPP on missing set feature 

commit 95cd4bca7b upstream.

If userspace requests a feature which is not available the original set
definition, then bail out with EOPNOTSUPP. If userspace sends
unsupported dynset flags (new feature not supported by this kernel),
then report EOPNOTSUPP to userspace. EINVAL should be only used to
report malformed netlink messages from userspace.

Fixes: 22fe54d5fe ("netfilter: nf_tables: add support for dynamic set updates")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
5.4-rM2-2.2.x-imx-squashed
Pablo Neira Ayuso 2020-12-27 12:33:44 +01:00 committed by Greg Kroah-Hartman
parent 5e401ea716
commit a798b367a0
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
net/netfilter/nft_dynset.c
View File

@ -146,7 +146,7 @@ static int nft_dynset_init(const struct nft_ctx *ctx,
u32 flags = ntohl(nla_get_be32(tb[NFTA_DYNSET_FLAGS]));
if (flags & ~NFT_DYNSET_F_INV)
return -EINVAL;
return -EOPNOTSUPP;
if (flags & NFT_DYNSET_F_INV)
priv->invert = true;
}
@ -179,7 +179,7 @@ static int nft_dynset_init(const struct nft_ctx *ctx,
timeout = 0;
if (tb[NFTA_DYNSET_TIMEOUT] != NULL) {
if (!(set->flags & NFT_SET_TIMEOUT))
return -EINVAL;
return -EOPNOTSUPP;
err = nf_msecs_to_jiffies64(tb[NFTA_DYNSET_TIMEOUT], &timeout);
if (err)
@ -193,7 +193,7 @@ static int nft_dynset_init(const struct nft_ctx *ctx,
if (tb[NFTA_DYNSET_SREG_DATA] != NULL) {
if (!(set->flags & NFT_SET_MAP))
return -EINVAL;
return -EOPNOTSUPP;
if (set->dtype == NFT_DATA_VERDICT)
return -EOPNOTSUPP;