Commit 74e8bcd2 authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso

netfilter: nf_tables: add check_genid to the nfnetlink subsystem

This patch implements the check generation id as provided by nfnetlink.
This allows us to reject ruleset updates against stale baseline, so
userspace can retry update with a fresh ruleset cache.
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 8c4d4e8b
...@@ -4972,6 +4972,11 @@ static int nf_tables_abort(struct net *net, struct sk_buff *skb) ...@@ -4972,6 +4972,11 @@ static int nf_tables_abort(struct net *net, struct sk_buff *skb)
return 0; return 0;
} }
static bool nf_tables_valid_genid(struct net *net, u32 genid)
{
return net->nft.base_seq == genid;
}
static const struct nfnetlink_subsystem nf_tables_subsys = { static const struct nfnetlink_subsystem nf_tables_subsys = {
.name = "nf_tables", .name = "nf_tables",
.subsys_id = NFNL_SUBSYS_NFTABLES, .subsys_id = NFNL_SUBSYS_NFTABLES,
...@@ -4979,6 +4984,7 @@ static const struct nfnetlink_subsystem nf_tables_subsys = { ...@@ -4979,6 +4984,7 @@ static const struct nfnetlink_subsystem nf_tables_subsys = {
.cb = nf_tables_cb, .cb = nf_tables_cb,
.commit = nf_tables_commit, .commit = nf_tables_commit,
.abort = nf_tables_abort, .abort = nf_tables_abort,
.valid_genid = nf_tables_valid_genid,
}; };
int nft_chain_validate_dependency(const struct nft_chain *chain, int nft_chain_validate_dependency(const struct nft_chain *chain,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment