mirrors/linux
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2026-03-19 18:50:20 -04:00
Code Issues Packages Projects Releases Wiki Activity

netfilter: nf_tables: always use an upper set size for dynsets

Browse Source 
nft rejects rules that lack a timeout and a size limit when they're used
to add elements from packet path.

Pick a sane upperlimit instead of rejecting outright.
The upperlimit is visible to userspace, just as if it would have been
given during set declaration.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
Florian Westphal
2018-04-16 18:52:58 +02:00
committed by Pablo Neira Ayuso
parent 8e1102d5a1
commit 99a0efbeeb
1 changed files with 4 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
net/netfilter/nft_dynset.c
View File

@@ -36,7 +36,7 @@ static void *nft_dynset_new(struct nft_set *set, const struct nft_expr *expr,
u64 timeout;
void *elem;
if (set->size && !atomic_add_unless(&set->nelems, 1, set->size))
if (!atomic_add_unless(&set->nelems, 1, set->size))
return NULL;
timeout = priv->timeout ? : set->timeout;
@@ -216,6 +216,9 @@ static int nft_dynset_init(const struct nft_ctx *ctx,
if (err < 0)
goto err1;
if (set->size == 0)
set->size = 0xffff;
priv->set = set;
return 0;