netfilter: nft_dynset: do not reject set updates with NFT_SET_EVAL

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

NFT_SET_EVAL is signalling the kernel that this sets can be updated from
the evaluation path, even if there are no expressions attached to the
element. Otherwise, set updates with no expressions fail. Update
description to describe the right semantics.

Fixes: 22fe54d5fefc ("netfilter: nf_tables: add support for dynamic set updates")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Pablo Neira Ayuso 7 years ago 215a31f1 3fb61eca

+2 -4

2 changed files

expand all

include

uapi

linux

netfilter

nf_tables.h

net

netfilter

nft_dynset.c

+1 -1

include/uapi/linux/netfilter/nf_tables.h

··· 266 266 * @NFT_SET_INTERVAL: set contains intervals 267 267 * @NFT_SET_MAP: set is used as a dictionary 268 268 * @NFT_SET_TIMEOUT: set uses timeouts 269 - * @NFT_SET_EVAL: set contains expressions for evaluation 269 + * @NFT_SET_EVAL: set can be updated from the evaluation path 270 270 * @NFT_SET_OBJECT: set contains stateful objects 271 271 */ 272 272 enum nft_set_flags {

+1 -3

net/netfilter/nft_dynset.c

··· 203 203 goto err1; 204 204 set->ops->gc_init(set); 205 205 } 206 - 207 - } else if (set->flags & NFT_SET_EVAL) 208 - return -EINVAL; 206 + } 209 207 210 208 nft_set_ext_prepare(&priv->tmpl); 211 209 nft_set_ext_add_length(&priv->tmpl, NFT_SET_EXT_KEY, set->klen);