Commit d4eb7e39 authored Apr 17, 2023 by Pablo Neira Ayuso

netfilter: nf_tables: tighten netlink attribute requirements for catch-all elements



If NFT_SET_ELEM_CATCHALL is set on, then userspace provides no set element
key. Otherwise, bail out with -EINVAL.

Fixes: aaa31047 ("netfilter: nftables: add catch-all set element support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

parent d46fc894

net/netfilter/nf_tables_api.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -6108,7 +6108,8 @@ static int nft_add_set_elem(struct nft_ctx ctx, struct nft_set set,
		if (err < 0)
		return err;

		if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL))
		if (((flags & NFT_SET_ELEM_CATCHALL) && nla[NFTA_SET_ELEM_KEY]) \|\|
		(!(flags & NFT_SET_ELEM_CATCHALL) && !nla[NFTA_SET_ELEM_KEY]))
		return -EINVAL;

		if (flags != 0) {