netfilter: nf_tables: disallow updates of anonymous sets

gvrose8192 · gvrose8192 · commit c441e4d739f9 · 2024-10-21T14:23:49.000-07:00
jira VUlN-429 subsystem-sync netfilter:nf_tables 4.18.0-511 commit-author Pablo Neira Ayuso <pablo@netfilter.org> commit b770283 Disallow updates of set timeout and garbage collection parameters for anonymous sets. Fixes: 123b996 ("netfilter: nf_tables: honor set timeout and garbage collection updates") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> (cherry picked from commit b770283) Signed-off-by: Greg Rose <g.v.rose@ciq.com>
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
@@ -4207,6 +4207,9 @@ static int nf_tables_newset(struct net *net, struct sock *nlsk,
 		if (nlh->nlmsg_flags & NLM_F_REPLACE)
 			return -EOPNOTSUPP;
 
+		if (nft_set_is_anonymous(set))
+			return -EOPNOTSUPP;
+
 		return 0;
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -4207,6 +4207,9 @@ static int nf_tables_newset(struct net net, struct sock nlsk,`
`4207`	`4207`	`if (nlh->nlmsg_flags & NLM_F_REPLACE)`
`4208`	`4208`	`return -EOPNOTSUPP;`
`4209`	`4209`
	`4210`	`+ if (nft_set_is_anonymous(set))`
	`4211`	`+ return -EOPNOTSUPP;`
	`4212`	`+`
`4210`	`4213`	`return 0;`
`4211`	`4214`	`}`
`4212`	`4215`