MIRRORS/linux-imx
1
0
Fork 0
mirror of https://github.com/nxp-imx/linux-imx.git synced 2025-07-06 17:35:20 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

netfilter: nf_tables: reject element expiration with no timeout

Browse Source 
[ Upstream commit d2dc429ecb ]

If element timeout is unset and set provides no default timeout, the
element expiration is silently ignored, reject this instead to let user
know this is unsupported.

Also prepare for supporting timeout that never expire, where zero
timeout and expiration must be also rejected.

Fixes: 8e1102d5a1 ("netfilter: nf_tables: support timeouts larger than 23 days")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
This commit is contained in:
Pablo Neira Ayuso 2024-09-03 01:06:49 +02:00 committed by Greg Kroah-Hartman
parent 08b25d59ff
commit 2a5e648a0c
1 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
net/netfilter/nf_tables_api.c
View File

@ -6698,6 +6698,9 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) { if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) {
if (!(set->flags & NFT_SET_TIMEOUT)) if (!(set->flags & NFT_SET_TIMEOUT))
return -EINVAL; return -EINVAL;
if (timeout == 0)
return -EOPNOTSUPP;
err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION], err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION],
&expiration); &expiration);
if (err) if (err)