Commit 32fc7187 authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso

netfilter: nf_tables: return EBUSY if device already belongs to flowtable

If the netdevice is already part of a flowtable, return EBUSY. I cannot
find a valid usecase for having two flowtables bound to the same
netdevice. We can still have two flowtable where the device set is
disjoint.
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 7d98386d
...@@ -5037,9 +5037,9 @@ static int nf_tables_newflowtable(struct net *net, struct sock *nlsk, ...@@ -5037,9 +5037,9 @@ static int nf_tables_newflowtable(struct net *net, struct sock *nlsk,
{ {
const struct nfgenmsg *nfmsg = nlmsg_data(nlh); const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
const struct nf_flowtable_type *type; const struct nf_flowtable_type *type;
struct nft_flowtable *flowtable, *ft;
u8 genmask = nft_genmask_next(net); u8 genmask = nft_genmask_next(net);
int family = nfmsg->nfgen_family; int family = nfmsg->nfgen_family;
struct nft_flowtable *flowtable;
struct nft_table *table; struct nft_table *table;
struct nft_ctx ctx; struct nft_ctx ctx;
int err, i, k; int err, i, k;
...@@ -5099,6 +5099,22 @@ static int nf_tables_newflowtable(struct net *net, struct sock *nlsk, ...@@ -5099,6 +5099,22 @@ static int nf_tables_newflowtable(struct net *net, struct sock *nlsk,
goto err3; goto err3;
for (i = 0; i < flowtable->ops_len; i++) { for (i = 0; i < flowtable->ops_len; i++) {
if (!flowtable->ops[i].dev)
continue;
list_for_each_entry(ft, &table->flowtables, list) {
for (k = 0; k < ft->ops_len; k++) {
if (!ft->ops[k].dev)
continue;
if (flowtable->ops[i].dev == ft->ops[k].dev &&
flowtable->ops[i].pf == ft->ops[k].pf) {
err = -EBUSY;
goto err4;
}
}
}
err = nf_register_net_hook(net, &flowtable->ops[i]); err = nf_register_net_hook(net, &flowtable->ops[i]);
if (err < 0) if (err < 0)
goto err4; goto err4;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment