diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-08-02 00:30:38 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-08-23 17:44:23 +0200 |
commit | 6133740d6e80d969ff7d41098a9db1091d0f9c94 (patch) | |
tree | ca5b27f8da06607c240090d936f66822e4c4c6c8 /include | |
parent | netfilter: nf_tables: introduce nft_chain_parse_hook() (diff) | |
download | linux-6133740d6e80d969ff7d41098a9db1091d0f9c94.tar.xz linux-6133740d6e80d969ff7d41098a9db1091d0f9c94.zip |
netfilter: nf_tables: reject hook configuration updates on existing chains
Currently, if you add a base chain whose name clashes with an existing
non-base chain, nf_tables doesn't complain about this. Similarly, if you
update the chain type, the hook number and priority.
With this patch, nf_tables bails out in case any of this unsupported
operations occur by returning EBUSY.
# nft add table x
# nft add chain x y
# nft add chain x y { type nat hook input priority 0\; }
<cmdline>:1:1-49: Error: Could not process rule: Device or resource busy
add chain x y { type nat hook input priority 0; }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include')
0 files changed, 0 insertions, 0 deletions