On Wed, Aug 07, 2024 at 04:23:51PM +0200, Pablo Neira Ayuso wrote:
> If element timeout is unset and set provides no default timeout, the
> element expiration is silently ignored, reject this instead to let user
> know this is unsupported.
>
> While at it, remove unnecesary notation to read default set timeout
> under mutex.
The sentence above is a left-over from splitting patches, right?
> Fixes: 8e1102d5a159 ("netfilter: nf_tables: support timeouts larger than 23 days")
> Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> ---
> net/netfilter/nf_tables_api.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
> index 0fb8f8f1ef66..79ab90069b84 100644
> --- a/net/netfilter/nf_tables_api.c
> +++ b/net/netfilter/nf_tables_api.c
> @@ -6920,6 +6920,9 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
> if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) {
> if (!(set->flags & NFT_SET_TIMEOUT))
> return -EINVAL;
> + if (timeout == 0)
> + return -EOPNOTSUPP;
> +
> err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION],
> &expiration);
> if (err)
> --
> 2.30.2
>
>
>
