netfilter: nft_dynset: report EOPNOTSUPP on missing set feature

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

From: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>

commit 95cd4bca7b1f4a25810f3ddfc5e767fb46931789 upstream.

If userspace requests a feature which is not available the original set
definition, then bail out with EOPNOTSUPP. If userspace sends
unsupported dynset flags (new feature not supported by this kernel),
then report EOPNOTSUPP to userspace. EINVAL should be only used to
report malformed netlink messages from userspace.

Fixes: 22fe54d5fefc ("netfilter: nf_tables: add support for dynamic set updates")
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 net/netfilter/nft_dynset.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/net/netfilter/nft_dynset.c
+++ b/net/netfilter/nft_dynset.c
@@ -133,7 +133,7 @@ static int nft_dynset_init(const struct
 		u32 flags = ntohl(nla_get_be32(tb[NFTA_DYNSET_FLAGS]));
 
 		if (flags & ~NFT_DYNSET_F_INV)
-			return -EINVAL;
+			return -EOPNOTSUPP;
 		if (flags & NFT_DYNSET_F_INV)
 			priv->invert = true;
 	}
@@ -168,7 +168,7 @@ static int nft_dynset_init(const struct
 	timeout = 0;
 	if (tb[NFTA_DYNSET_TIMEOUT] != NULL) {
 		if (!(set->flags & NFT_SET_TIMEOUT))
-			return -EINVAL;
+			return -EOPNOTSUPP;
 
 		err = nf_msecs_to_jiffies64(tb[NFTA_DYNSET_TIMEOUT], &timeout);
 		if (err)
@@ -182,7 +182,7 @@ static int nft_dynset_init(const struct
 
 	if (tb[NFTA_DYNSET_SREG_DATA] != NULL) {
 		if (!(set->flags & NFT_SET_MAP))
-			return -EINVAL;
+			return -EOPNOTSUPP;
 		if (set->dtype == NFT_DATA_VERDICT)
 			return -EOPNOTSUPP;
 


Patches currently in stable-queue which might be from kroah.com@xxxxxxxxxxxxxxx are

queue-4.19/netfilter-nf_tables-bogus-ebusy-when-deleting-flowtable-after-flush-for-4.19.patch
queue-4.19/netfilter-nft_set_rbtree-switch-to-node-list-walk-for-overlap-detection.patch
queue-4.19/netfilter-nf_tables-validate-nfproto_-family.patch
queue-4.19/netfilter-nf_tables-unregister-flowtable-hooks-on-netns-exit.patch
queue-4.19/netfilter-nf_tables-fix-gc-transaction-races-with-netns-and-netlink-event-exit-path.patch
queue-4.19/netfilter-nft_set_rbtree-use-read-spinlock-to-avoid-datapath-contention.patch
queue-4.19/netfilter-nft_dynset-report-eopnotsupp-on-missing-set-feature.patch
queue-4.19/netfilter-nf_tables-discard-table-flag-update-with-pending-basechain-deletion.patch
queue-4.19/netfilter-nft_set_rbtree-skip-sync-gc-for-new-elements-in-this-transaction.patch
queue-4.19/netfilter-nf_tables-mark-set-as-dead-when-unbinding-anonymous-set-with-timeout.patch
queue-4.19/netfilter-nf_tables-reject-new-basechain-after-table-flag-update.patch
queue-4.19/netfilter-nf_tables-gc-transaction-race-with-netns-dismantle.patch
queue-4.19/netfilter-nftables-update-table-flags-from-the-commit-phase.patch
queue-4.19/netfilter-nf_tables-allow-nfproto_inet-in-nft_-match-target-_validate.patch
queue-4.19/netfilter-nft_set_rbtree-skip-end-interval-element-from-gc.patch
queue-4.19/netfilter-nf_tables-drop-map-element-references-from-preparation-phase.patch
queue-4.19/netfilter-nf_tables-gc-transaction-race-with-abort-path.patch
queue-4.19/netfilter-nf_tables-fix-memleak-when-more-than-255-elements-expired.patch
queue-4.19/netfilter-nft_set_rbtree-add-missing-expired-checks.patch
queue-4.19/netfilter-nf_tables-double-hook-unregistration-in-netns-path.patch
queue-4.19/netfilter-nft_dynset-relax-superfluous-check-on-set-updates.patch
queue-4.19/netfilter-nf_tables-defer-gc-run-if-previous-batch-is-still-pending.patch
queue-4.19/netfilter-nft_set_hash-try-later-when-gc-hits-eagain-on-iteration.patch
queue-4.19/netfilter-nft_dynset-fix-timeouts-later-than-23-days.patch
queue-4.19/netfilter-nf_tables-mark-newset-as-dead-on-transaction-abort.patch
queue-4.19/netfilter-nf_tables-don-t-skip-expired-elements-during-walk.patch
queue-4.19/netfilter-nftables-rename-set-element-data-activation-deactivation-functions.patch
queue-4.19/netfilter-nf_tables-gc-transaction-api-to-avoid-race-with-control-plane.patch
queue-4.19/netfilter-nf_tables-set-dormant-flag-on-hook-register-failure.patch
queue-4.19/netfilter-nf_tables-remove-busy-mark-and-gc-batch-api.patch
queue-4.19/netfilter-nf_tables-skip-dead-set-elements-in-netlink-dump.patch
queue-4.19/netfilter-nf_tables-adapt-set-backend-to-use-gc-transaction-api.patch
queue-4.19/netfilter-nft_set_rbtree-fix-overlap-expiration-walk.patch
queue-4.19/netfilter-nf_tables-fix-table-flag-updates.patch
queue-4.19/netfilter-nf_tables-do-not-compare-internal-table-flags-on-updates.patch
queue-4.19/netfilter-nft_set_rbtree-allow-loose-matching-of-closing-element-in-interval.patch
queue-4.19/netfilter-nftables-exthdr-fix-4-byte-stack-oob-write.patch
queue-4.19/netfilter-nft_set_rbtree-fix-null-deref-on-element-insertion.patch
queue-4.19/netfilter-nf_tables-pass-context-to-nft_set_destroy.patch
queue-4.19/netfilter-nf_tables-disable-toggling-dormant-table-state-more-than-once.patch
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux