summaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorFlorian Westphal <fw@strlen.de>2019-03-07 23:20:11 +0100
committerPablo Neira Ayuso <pablo@netfilter.org>2019-03-11 20:01:20 +0100
commitb8b27498659c65034032af79842913844a6cc79a (patch)
tree16094d0c30d365c1ef5a93e6ecc4139b9510b319 /net
parentnetfilter: nf_tables: use-after-free in dynamic operations (diff)
downloadlinux-b8b27498659c65034032af79842913844a6cc79a.tar.xz
linux-b8b27498659c65034032af79842913844a6cc79a.zip
netfilter: nf_tables: return immediately on empty commit
When running 'nft flush ruleset' while no rules exist, we will increment the generation counter and announce a new genid to userspace, yet nothing had changed in the first place. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net')
-rw-r--r--net/netfilter/nf_tables_api.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 9d8f51dfc593..513f93118604 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -6564,6 +6564,11 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb)
struct nft_chain *chain;
struct nft_table *table;
+ if (list_empty(&net->nft.commit_list)) {
+ mutex_unlock(&net->nft.commit_mutex);
+ return 0;
+ }
+
/* 0. Validate ruleset, otherwise roll back for error reporting. */
if (nf_tables_validate(net) < 0)
return -EAGAIN;