projects / openwrt / staging / blogic.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 8e1102d)
netfilter: nf_tables: always use an upper set size for dynsets
authorFlorian Westphal <fw@strlen.de>
Mon, 16 Apr 2018 16:52:58 +0000 (18:52 +0200)
committerPablo Neira Ayuso <pablo@netfilter.org>
Tue, 24 Apr 2018 08:29:21 +0000 (10:29 +0200)
nft rejects rules that lack a timeout and a size limit when they're used
to add elements from packet path.

Pick a sane upperlimit instead of rejecting outright.
The upperlimit is visible to userspace, just as if it would have been
given during set declaration.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
net/netfilter/nft_dynset.c patch | blob | history

diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c
index 04863fad05ddd23c33f679232fd926ac57888590..5cc3509659c69f5550dbe455dd8c24ba57229712 100644 (file)
--- a/net/netfilter/nft_dynset.c
+++ b/net/netfilter/nft_dynset.c
@@ -36,7 +36,7 @@ static void *nft_dynset_new(struct nft_set *set, const struct nft_expr *expr,
        u64 timeout;
        void *elem;
 
-       if (set->size && !atomic_add_unless(&set->nelems, 1, set->size))
+       if (!atomic_add_unless(&set->nelems, 1, set->size))
                return NULL;
 
        timeout = priv->timeout ? : set->timeout;
@@ -216,6 +216,9 @@ static int nft_dynset_init(const struct nft_ctx *ctx,
        if (err < 0)
                goto err1;
 
+       if (set->size == 0)
+               set->size = 0xffff;
+
        priv->set = set;
        return 0;
 
John Crispins staging tree