Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> If a ruleset declares a set name that matches an existing set in the
> kernel, then validate that this declaration really refers to the same
> set, otherwise bail out with EEXIST.
>
> Currently, the kernel reports success when adding a set that already
> exists in the kernel. This usually results in EINVAL errors at a later
> stage, when the user adds elements to the set, if the set declaration
> mismatches the existing set representation in the kernel.
>
> Add a new function to check that the set declaration really refers to
> the same existing set in the kernel.
>
> Fixes: 96518518cc41 ("netfilter: add nftables")
> Reported-by: Florian Westphal <fw@xxxxxxxxx>
> Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> ---
> I plan to post a v2, there is still a number of fields that are not yet
> validated.
Thanks. It would also be good to permit 're-add' to change
e.g. the timeout value associated with the set (if klen/dlen etc. are
equal).
