nftables doesn't need this because anonymous sets are always released
implicitly when the owning rule is deleted.
nftables will also never remove elements from anonymous sets.
We've had bad interaction of anon sets with the rule deletion, e.g.
ability to schedule element removal from an anon set after rule deletion
already deleted that set.
Disable support for this until a use-case shows up, this should
not result in any user-visible breakage even though this removes
an existing feature.
Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
iptables-nft and nftables test cases pass with this applied.
net/netfilter/nf_tables_api.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 0396fd8f4e71..02c3f912db88 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -4996,6 +4996,11 @@ static int nf_tables_delset(struct sk_buff *skb, const struct nfnl_info *info,
set = nft_set_lookup(table, attr, genmask);
}
+ if (set->flags & NFT_SET_ANONYMOUS) {
+ NL_SET_BAD_ATTR(extack, attr);
+ return -EBUSY;
+ }
+
if (IS_ERR(set)) {
if (PTR_ERR(set) == -ENOENT &&
NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYSET)
@@ -6888,6 +6893,12 @@ static int nf_tables_delsetelem(struct sk_buff *skb,
set = nft_set_lookup(table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
if (IS_ERR(set))
return PTR_ERR(set);
+
+ if (set->flags & NFT_SET_ANONYMOUS) {
+ NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_SET]);
+ return -EROFS;
+ }
+
if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
return -EBUSY;
--
2.39.3
