In order to restrict element number of each set, member ->size is used.
that used to be given by user-space. if user-space don't specify ->size,
number of element is unlimited. so that overflow can occurred.
After this patch,
If user-space don't specify ->size, 65535 is set.
all types of set have same default size.
test commands:
%nft add table ip aa
%nft add map ip aa map1 { type ipv4_add : verdict\; }
%nft list ruleset
Before this patch:
table ip aa {
map map1 {
type ipv4_addr : verdict
}
}
After this patch:
table ip aa {
map map1 {
type ipv4_addr : verdict
size 65535
}
}
V2:
- Add default set->size value instead add check set->size routine.
- Requested by Florian Westphal
Suggested-by: Florian Westphal <fw@xxxxxxxxx>
Signed-off-by: Taehee Yoo <ap420073@xxxxxxxxx>
---
net/netfilter/nf_tables_api.c | 13 ++++++++-----
net/netfilter/nft_dynset.c | 6 +-----
2 files changed, 9 insertions(+), 10 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 896d4a3..eb069b0 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -23,6 +23,8 @@
#include <net/net_namespace.h>
#include <net/sock.h>
+#define NFT_DEFAULT_SET_SIZE 0xffff
+
static LIST_HEAD(nf_tables_expressions);
static LIST_HEAD(nf_tables_objects);
static LIST_HEAD(nf_tables_flowtables);
@@ -3060,8 +3062,7 @@ static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
desc = nla_nest_start(skb, NFTA_SET_DESC);
if (desc == NULL)
goto nla_put_failure;
- if (set->size &&
- nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
+ if (nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
goto nla_put_failure;
nla_nest_end(skb, desc);
@@ -3437,7 +3438,10 @@ static int nf_tables_newset(struct net *net, struct sock *nlsk,
set->objtype = objtype;
set->dlen = desc.dlen;
set->flags = flags;
- set->size = desc.size;
+ if (desc.size)
+ set->size = desc.size;
+ else
+ set->size = NFT_DEFAULT_SET_SIZE;
set->policy = policy;
set->udlen = udlen;
set->udata = udata;
@@ -4331,8 +4335,7 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
goto err5;
}
- if (set->size &&
- !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
+ if (!atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
err = -ENFILE;
goto err6;
}
diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c
index 27d7e459..c26970f 100644
--- a/net/netfilter/nft_dynset.c
+++ b/net/netfilter/nft_dynset.c
@@ -57,8 +57,7 @@ static void *nft_dynset_new(struct nft_set *set, const struct nft_expr *expr,
err2:
nft_set_elem_destroy(set, elem, false);
err1:
- if (set->size)
- atomic_dec(&set->nelems);
+ atomic_dec(&set->nelems);
return NULL;
}
@@ -223,9 +222,6 @@ static int nft_dynset_init(const struct nft_ctx *ctx,
if (err < 0)
goto err1;
- if (set->size == 0)
- set->size = 0xffff;
-
priv->set = set;
return 0;
--
2.9.3
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
