Hi Pablo,
2017-03-21 22:57 GMT+08:00 Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>:
> We only allow runtime updates of expectation policies for timeout and
> maximum number of expectations, otherwise reject the update.
>
> Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> ---
> v3: Fixed expect_class_max semantics. Compile-tested only.
Acked-by: Liping Zhang <zlpnobody@xxxxxxxxx>
[...]
> + /* Check first that all policy attributes are well-formed, so we don't
> + * leave things in inconsistent state on errors.
> + */
Good point, I missed this possible error scenario in my original patch 4/5.
> + for (i = 0; i < helper->expect_class_max + 1; i++) {
> +
> + if (!tb[NFCTH_POLICY_SET + i])
> + return -EINVAL;
> +
> + err = nfnl_cthelper_update_policy_one(&helper->expect_policy[i],
> + &new_policy[i],
> + tb[NFCTH_POLICY_SET + i]);
> + if (err < 0)
> + return err;
> + }
> + /* Now we can safely update them. */
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
