Commit fca05d4d authored Jan 16, 2021 by Pablo Neira Ayuso

netfilter: nft_dynset: honor stateful expressions in set definition

If the set definition contains stateful expressions, allocate them for
the newly added entries from the packet path.

Fixes: 65038428 ("netfilter: nf_tables: allow to specify stateful expression in set definition")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

parent c8a8ead0

include/net/netfilter/nf_tables.h

+2 −0

Original line number	Diff line number	Diff line
		@@ -721,6 +721,8 @@ void nft_set_elem_init(const struct nft_set set,
		const struct nft_set_ext_tmpl *tmpl,
		const u32 key, const u32 key_end, const u32 *data,
		u64 timeout, u64 expiration, gfp_t gfp);
		int nft_set_elem_expr_clone(const struct nft_ctx ctx, struct nft_set set,
		struct nft_expr *expr_array[]);
		void nft_set_elem_destroy(const struct nft_set set, void elem,
		bool destroy_expr);

net/netfilter/nf_tables_api.c

+2 −3

Original line number	Diff line number	Diff line
		@@ -5235,8 +5235,7 @@ static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
		kfree(elem);
		}

		static int nft_set_elem_expr_clone(const struct nft_ctx *ctx,
		struct nft_set *set,
		int nft_set_elem_expr_clone(const struct nft_ctx ctx, struct nft_set set,
		struct nft_expr *expr_array[])
		{
		struct nft_expr *expr;

net/netfilter/nft_dynset.c

+6 −0

Original line number	Diff line number	Diff line
		@@ -295,6 +295,12 @@ static int nft_dynset_init(const struct nft_ctx *ctx,
		err = -EOPNOTSUPP;
		goto err_expr_free;
		}
		} else if (set->num_exprs > 0) {
		err = nft_set_elem_expr_clone(ctx, set, priv->expr_array);
		if (err < 0)
		return err;

		priv->num_exprs = set->num_exprs;
		}

		nft_set_ext_prepare(&priv->tmpl);