netfilter: nf_tables: reject hook configuration updates on existing chains - linux

diff options

author	Pablo Neira Ayuso <pablo@netfilter.org>	2016-08-02 00:30:38 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2016-08-23 17:44:23 +0200
commit	6133740d6e80d969ff7d41098a9db1091d0f9c94 (patch)
tree	ca5b27f8da06607c240090d936f66822e4c4c6c8 /lib/rhashtable.c
parent	netfilter: nf_tables: introduce nft_chain_parse_hook() (diff)
download	linux-6133740d6e80d969ff7d41098a9db1091d0f9c94.tar.xz linux-6133740d6e80d969ff7d41098a9db1091d0f9c94.zip

netfilter: nf_tables: reject hook configuration updates on existing chains

Currently, if you add a base chain whose name clashes with an existing non-base chain, nf_tables doesn't complain about this. Similarly, if you update the chain type, the hook number and priority. With this patch, nf_tables bails out in case any of this unsupported operations occur by returning EBUSY. # nft add table x # nft add chain x y # nft add chain x y { type nat hook input priority 0\; } <cmdline>:1:1-49: Error: Could not process rule: Device or resource busy add chain x y { type nat hook input priority 0; } ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Diffstat (limited to 'lib/rhashtable.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: