From: Patrick McHardy <kaber@xxxxxxxxx>
Treat a failed binding similar to binding+unbinding and destroy the
set immediately to avoid leaving stray sets in the table.
Signed-off-by: Patrick McHardy <kaber@xxxxxxxxx>
---
net/netfilter/nf_tables_api.c | 10 +++++++++-
1 Datei geändert, 9 Zeilen hinzugefügt(+), 1 Zeile entfernt(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 570b877..c0f0cf06e 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1980,6 +1980,9 @@ int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
{
struct nft_set_bind_check_args args;
+ if (!list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS)
+ return -EBUSY;
+
if (set->flags & NFT_SET_MAP) {
args.iter.skip = 0;
args.iter.count = 0;
@@ -1988,8 +1991,13 @@ int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
args.ctx = ctx;
set->ops->walk(set, &args.iter);
- if (args.iter.err < 0)
+ if (args.iter.err < 0) {
+ /* Destroy anonymous sets if binding fails */
+ if (set->flags & NFT_SET_ANONYMOUS)
+ nf_tables_set_destroy(ctx, set);
+
return args.iter.err;
+ }
}
binding->chain = ctx->chain;
--
1.7.11.7
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
