tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

netfilter: nf_tables: do not refresh timeout when resetting element

The dump and reset command should not refresh the timeout, this command
is intended to allow users to list existing stateful objects and reset
them, element expiration should be refresh via transaction instead with
a specific command to achieve this, otherwise this is entering combo
semantics that will be hard to be undone later (eg. a user asking to
retrieve counters but _not_ requiring to refresh expiration).

Fixes: 079cd633219d ("netfilter: nf_tables: Introduce NFT_MSG_GETSETELEM_RESET")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>

authored by

Pablo Neira Ayuso and committed by
Florian Westphal 4c90bba6 d51c42cd

+5 -13
+5 -13
net/netfilter/nf_tables_api.c
··· 5556 5556 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 5557 5557 unsigned char *b = skb_tail_pointer(skb); 5558 5558 struct nlattr *nest; 5559 - u64 timeout = 0; 5560 5559 5561 5560 nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM); 5562 5561 if (nest == NULL) ··· 5591 5592 htonl(*nft_set_ext_flags(ext)))) 5592 5593 goto nla_put_failure; 5593 5594 5594 - if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT)) { 5595 - timeout = *nft_set_ext_timeout(ext); 5596 - if (nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT, 5597 - nf_jiffies64_to_msecs(timeout), 5598 - NFTA_SET_ELEM_PAD)) 5599 - goto nla_put_failure; 5600 - } else if (set->flags & NFT_SET_TIMEOUT) { 5601 - timeout = READ_ONCE(set->timeout); 5602 - } 5595 + if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) && 5596 + nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT, 5597 + nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)), 5598 + NFTA_SET_ELEM_PAD)) 5599 + goto nla_put_failure; 5603 5600 5604 5601 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) { 5605 5602 u64 expires, now = get_jiffies_64(); ··· 5610 5615 nf_jiffies64_to_msecs(expires), 5611 5616 NFTA_SET_ELEM_PAD)) 5612 5617 goto nla_put_failure; 5613 - 5614 - if (reset) 5615 - *nft_set_ext_expiration(ext) = now + timeout; 5616 5618 } 5617 5619 5618 5620 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {