netfilter: nf_tables: perform type checking for existing sets (f6594c37) · Commits · Mirrors / github.com / raspberrypi_linux · GitLab

Commit f6594c37 authored Dec 19, 2022 by

Pablo Neira Ayuso

netfilter: nf_tables: perform type checking for existing sets

If a ruleset declares a set name that matches an existing set in the
kernel, then validate that this declaration really refers to the same
set, otherwise bail out with EEXIST.

Currently, the kernel reports success when adding a set that already
exists in the kernel. This usually results in EINVAL errors at a later
stage, when the user adds elements to the set, if the set declaration
mismatches the existing set representation in the kernel.

Add a new function to check that the set declaration really refers to
the same existing set in the kernel.

Fixes: 96518518

 ("netfilter: add nftables")
Reported-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

parent a8fe4154

Hide whitespace changes

Inline Side-by-side

mirror @mirror
mentioned in commit 9d30cb44
· Jan 14, 2023

mentioned in commit 9d30cb44

mentioned in commit 9d30cb442156ebca5524927b73358cb5b8baf5be

Toggle commit list
mirror @mirror
mentioned in commit 996cd779
· Jan 14, 2023

mentioned in commit 996cd779

mentioned in commit 996cd779c2a43e59a8717ad74b5088ab239bc54d

Toggle commit list
mirror @mirror
mentioned in commit c3bfb778
· Jan 14, 2023

mentioned in commit c3bfb778

mentioned in commit c3bfb7784a09a10bca3e42f6d20ff02346a5bd40

Toggle commit list

Please register or to comment