diff options
author | Florian Westphal <fw@strlen.de> | 2019-03-07 23:20:11 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2019-03-11 20:01:20 +0100 |
commit | b8b27498659c65034032af79842913844a6cc79a (patch) | |
tree | 16094d0c30d365c1ef5a93e6ecc4139b9510b319 /net | |
parent | netfilter: nf_tables: use-after-free in dynamic operations (diff) | |
download | linux-b8b27498659c65034032af79842913844a6cc79a.tar.xz linux-b8b27498659c65034032af79842913844a6cc79a.zip |
netfilter: nf_tables: return immediately on empty commit
When running 'nft flush ruleset' while no rules exist, we will increment
the generation counter and announce a new genid to userspace, yet
nothing had changed in the first place.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net')
-rw-r--r-- | net/netfilter/nf_tables_api.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 9d8f51dfc593..513f93118604 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -6564,6 +6564,11 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb) struct nft_chain *chain; struct nft_table *table; + if (list_empty(&net->nft.commit_list)) { + mutex_unlock(&net->nft.commit_mutex); + return 0; + } + /* 0. Validate ruleset, otherwise roll back for error reporting. */ if (nf_tables_validate(net) < 0) return -EAGAIN; |