Commit 79e98cd7 authored Jun 13, 2024 by Pablo Neira Ayuso Committed by Greg Kroah-Hartman Jun 16, 2024

netfilter: nft_dynset: relax superfluous check on set updates

commit 7b1394892de8d95748d05e3ee41e85edb4abbfa1 upstream.

Relax this condition to make add and update commands idempotent for sets
with no timeout. The eval function already checks if the set element
timeout is available and updates it if the update command is used.

Fixes: 22fe54d5 ("netfilter: nf_tables: add support for dynamic set updates")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent c5c4746c

net/netfilter/nft_dynset.c

+1 −9

Original line number	Diff line number	Diff line
		@@ -154,16 +154,8 @@ static int nft_dynset_init(const struct nft_ctx *ctx,
		return -EBUSY;

		priv->op = ntohl(nla_get_be32(tb[NFTA_DYNSET_OP]));
		switch (priv->op) {
		case NFT_DYNSET_OP_ADD:
		break;
		case NFT_DYNSET_OP_UPDATE:
		if (!(set->flags & NFT_SET_TIMEOUT))
		return -EOPNOTSUPP;
		break;
		default:
		if (priv->op > NFT_DYNSET_OP_UPDATE)
		return -EOPNOTSUPP;
		}

		timeout = 0;
		if (tb[NFTA_DYNSET_TIMEOUT] != NULL) {