Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 32fc7187 authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso
Browse files

netfilter: nf_tables: return EBUSY if device already belongs to flowtable 



If the netdevice is already part of a flowtable, return EBUSY. I cannot
find a valid usecase for having two flowtables bound to the same
netdevice. We can still have two flowtable where the device set is
disjoint.

Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 7d98386d

net/netfilter/nf_tables_api.c

+17 −1
Original line number Diff line number Diff line
@@ -5037,9 +5037,9 @@ static int nf_tables_newflowtable(struct net *net, struct sock *nlsk, 
{

	const struct nfgenmsg *nfmsg = nlmsg_data(nlh);

	const struct nf_flowtable_type *type;

	struct nft_flowtable *flowtable, *ft;

	u8 genmask = nft_genmask_next(net);

	int family = nfmsg->nfgen_family;

	struct nft_flowtable *flowtable;

	struct nft_table *table;

	struct nft_ctx ctx;

	int err, i, k;
@@ -5099,6 +5099,22 @@ static int nf_tables_newflowtable(struct net *net, struct sock *nlsk, 
		goto err3;



	for (i = 0; i < flowtable->ops_len; i++) {

		if (!flowtable->ops[i].dev)

			continue;



		list_for_each_entry(ft, &table->flowtables, list) {

			for (k = 0; k < ft->ops_len; k++) {

				if (!ft->ops[k].dev)

					continue;



				if (flowtable->ops[i].dev == ft->ops[k].dev &&

				    flowtable->ops[i].pf == ft->ops[k].pf) {

					err = -EBUSY;

					goto err4;

				}

			}

		}



		err = nf_register_net_hook(net, &flowtable->ops[i]);

		if (err < 0)

			goto err4;