diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2023-06-16 15:22:01 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2023-06-20 22:43:41 +0200 |
commit | b770283c98e0eee9133c47bc03b6cc625dc94723 (patch) | |
tree | 523168ab59b2a040ee4f2a687721c1e38f84ca72 /net | |
parent | netfilter: nf_tables: reject unbound chain set before commit phase (diff) | |
download | linux-b770283c98e0eee9133c47bc03b6cc625dc94723.tar.xz linux-b770283c98e0eee9133c47bc03b6cc625dc94723.zip |
netfilter: nf_tables: disallow updates of anonymous sets
Disallow updates of set timeout and garbage collection parameters for
anonymous sets.
Fixes: 123b99619cca ("netfilter: nf_tables: honor set timeout and garbage collection updates")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net')
-rw-r--r-- | net/netfilter/nf_tables_api.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index bab792434a8d..16995b88da2f 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -4963,6 +4963,9 @@ static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info, if (info->nlh->nlmsg_flags & NLM_F_REPLACE) return -EOPNOTSUPP; + if (nft_set_is_anonymous(set)) + return -EOPNOTSUPP; + err = nft_set_expr_alloc(&ctx, set, nla, exprs, &num_exprs, flags); if (err < 0) return err; |