Let's check table's chain list emptyness instead so struct nft_table does not grow and we avoid the (unlikely to happen) overflow. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@xxxxxxxxxxxxxxx> --- include/net/netfilter/nf_tables.h | 1 - net/netfilter/nf_tables_api.c | 7 +------ 2 files changed, 1 insertion(+), 7 deletions(-) diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h index 215edf5..e4306a4 100644 --- a/include/net/netfilter/nf_tables.h +++ b/include/net/netfilter/nf_tables.h @@ -450,7 +450,6 @@ struct nft_table { struct list_head chains; struct list_head sets; u64 hgenerator; - u32 use; u16 flags; char name[]; }; diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index c5d0129..68f90da 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -448,7 +448,7 @@ static int nf_tables_deltable(struct sock *nlsk, struct sk_buff *skb, if (IS_ERR(table)) return PTR_ERR(table); - if (table->use) + if (!list_empty(&table->chains)) return -EBUSY; list_del(&table->list); @@ -835,9 +835,6 @@ static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb, if (IS_ERR(table)) return PTR_ERR(table); - if (table->use == UINT_MAX) - return -EOVERFLOW; - chain = NULL; name = nla[NFTA_CHAIN_NAME]; @@ -992,7 +989,6 @@ static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb, } } list_add_tail(&chain->list, &table->chains); - table->use++; notify: nf_tables_chain_notify(skb, nlh, table, chain, NFT_MSG_NEWCHAIN, family); @@ -1038,7 +1034,6 @@ static int nf_tables_delchain(struct sock *nlsk, struct sk_buff *skb, return -EBUSY; list_del(&chain->list); - table->use--; if (!(table->flags & NFT_TABLE_F_DORMANT) && chain->flags & NFT_BASE_CHAIN) -- 1.8.3.2 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html