This allows user space to reliably match kernel generated handles with added rules for reference. Signed-off-by: Phil Sutter <phil@xxxxxx> --- net/netfilter/nf_tables_api.c | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 1c6482d2c4dcf..71bce5d024409 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -2142,6 +2142,7 @@ static int nf_tables_newrule(struct net *net, struct sock *nlsk, struct nft_userdata *udata; struct nft_trans *trans = NULL; struct nft_expr *expr; + struct sk_buff *skb2; struct nft_ctx ctx; struct nlattr *tmp; unsigned int size, i, n, ulen = 0, usize = 0; @@ -2281,8 +2282,24 @@ static int nf_tables_newrule(struct net *net, struct sock *nlsk, goto err3; } chain->use++; - return 0; + skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL); + if (!skb2) { + err = -ENOMEM; + goto err4; + } + err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid, + nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0, + nfmsg->nfgen_family, table, chain, rule); + if (err < 0) + goto err5; + + return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid); + +err5: + kfree_skb(skb2); +err4: + chain->use--; err3: list_del_rcu(&rule->list); err2: -- 2.11.0 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html