diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2019-12-06 22:49:58 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2019-12-09 13:14:05 +0100 |
commit | 81ec61074bcf68acfcb2820cda3ff9d9984419c7 (patch) | |
tree | e60fc2f886d1f4944449f2c1f8dff19e1f0c985f | |
parent | netfilter: nf_tables: skip module reference count bump on object updates (diff) | |
download | linux-81ec61074bcf68acfcb2820cda3ff9d9984419c7.tar.xz linux-81ec61074bcf68acfcb2820cda3ff9d9984419c7.zip |
netfilter: nf_tables_offload: return EOPNOTSUPP if rule specifies no actions
If the rule only specifies the matching side, return EOPNOTSUPP.
Otherwise, the front-end relies on the drivers to reject this rule.
Fixes: c9626a2cbdb2 ("netfilter: nf_tables: add hardware offload support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r-- | net/netfilter/nf_tables_offload.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/net/netfilter/nf_tables_offload.c b/net/netfilter/nf_tables_offload.c index d7a35da008ef..22fb18906ccf 100644 --- a/net/netfilter/nf_tables_offload.c +++ b/net/netfilter/nf_tables_offload.c @@ -44,6 +44,9 @@ struct nft_flow_rule *nft_flow_rule_create(struct net *net, expr = nft_expr_next(expr); } + if (num_actions == 0) + return ERR_PTR(-EOPNOTSUPP); + flow = nft_flow_rule_alloc(num_actions); if (!flow) return ERR_PTR(-ENOMEM); |