[PATCH net 6/9] netfilter: nf_tables: disallow element removal on anonymous sets

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org, kuba@kernel.org,
	pabeni@redhat.com, edumazet@google.com
Subject: [PATCH net 6/9] netfilter: nf_tables: disallow element removal on anonymous sets
Date: Wed, 13 Sep 2023 23:57:57 +0200	[thread overview]
Message-ID: <20230913215800.107269-7-pablo@netfilter.org> (raw)
In-Reply-To: <20230913215800.107269-1-pablo@netfilter.org>

Anonymous sets need to be populated once at creation and then they are
bound to rule since 938154b93be8 ("netfilter: nf_tables: reject unbound
anonymous set before commit phase"), otherwise transaction reports
EINVAL.

Userspace does not need to delete elements of anonymous sets that are
not yet bound, reject this with EOPNOTSUPP.

From flush command path, skip anonymous sets, they are expected to be
bound already. Otherwise, EINVAL is hit at the end of this transaction
for unbound sets.

Fixes: 96518518cc41 ("netfilter: add nftables")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_tables_api.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 7b59311931fb..c1e485aee763 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1446,8 +1446,7 @@ static int nft_flush_table(struct nft_ctx *ctx)
 		if (!nft_is_active_next(ctx->net, set))
 			continue;
 
-		if (nft_set_is_anonymous(set) &&
-		    !list_empty(&set->bindings))
+		if (nft_set_is_anonymous(set))
 			continue;
 
 		err = nft_delset(ctx, set);
@@ -7191,8 +7190,10 @@ static int nf_tables_delsetelem(struct sk_buff *skb,
 	if (IS_ERR(set))
 		return PTR_ERR(set);
 
-	if (!list_empty(&set->bindings) &&
-	    (set->flags & (NFT_SET_CONSTANT | NFT_SET_ANONYMOUS)))
+	if (nft_set_is_anonymous(set))
+		return -EOPNOTSUPP;
+
+	if (!list_empty(&set->bindings) && (set->flags & NFT_SET_CONSTANT))
 		return -EBUSY;
 
 	nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
-- 
2.30.2

next prev parent reply	other threads:[~2023-09-13 21:58 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-09-13 21:57 [PATCH net 0/9] Netfilter fixes for net Pablo Neira Ayuso
2023-09-13 21:57 ` [PATCH net 1/9] netfilter: nf_tables: disallow rule removal from chain binding Pablo Neira Ayuso
2023-09-13 21:57 ` [PATCH net 2/9] netfilter: nft_set_rbtree: use read spinlock to avoid datapath contention Pablo Neira Ayuso
2023-09-13 21:57 ` [PATCH net 3/9] netfilter: nft_set_pipapo: call nft_trans_gc_queue_sync() in catchall GC Pablo Neira Ayuso
2023-09-13 21:57 ` [PATCH net 4/9] netfilter: nft_set_pipapo: stop GC iteration if GC transaction allocation fails Pablo Neira Ayuso
2023-09-13 21:57 ` [PATCH net 5/9] netfilter: nft_set_hash: try later when GC hits EAGAIN on iteration Pablo Neira Ayuso
2023-09-13 21:57 ` Pablo Neira Ayuso [this message]
2023-09-13 21:57 ` [PATCH net 7/9] netfilter: conntrack: fix extension size table Pablo Neira Ayuso
2023-09-13 21:57 ` [PATCH net 8/9] netfilter: nf_tables: Fix entries val in rule reset audit log Pablo Neira Ayuso
2023-09-13 21:58 ` [PATCH net 9/9] selftests: netfilter: Test nf_tables audit logging Pablo Neira Ayuso

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:7b59311931f dfblob:c1e485aee76 )
 OR (
bs:"[PATCH net 6/9] netfilter: nf_tables: disallow element removal on anonymous sets" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230913215800.107269-7-pablo@netfilter.org \
    --to=pablo@netfilter.org \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=kuba@kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pabeni@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).