Patchwork [3/5] netfilter: nf_tables: destroy anonymous sets immediately if binding fails

login
register
mail settings
Submitter Patrick McHardy
Date Dec. 10, 2012, 5:20 p.m.
Message ID <1355160012-13952-4-git-send-email-kaber@trash.net>
Download mbox | patch
Permalink /patch/204995/
State Accepted
Headers show

Comments

Patrick McHardy - Dec. 10, 2012, 5:20 p.m.
From: Patrick McHardy <kaber@trash.net>

Treat a failed binding similar to binding+unbinding and destroy the
set immediately to avoid leaving stray sets in the table.

Signed-off-by: Patrick McHardy <kaber@trash.net>
---
 net/netfilter/nf_tables_api.c | 10 +++++++++-
 1 Datei geändert, 9 Zeilen hinzugefügt(+), 1 Zeile entfernt(-)

Patch

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 570b877..c0f0cf06e 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1980,6 +1980,9 @@  int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
 {
 	struct nft_set_bind_check_args args;
 
+	if (!list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS)
+		return -EBUSY;
+
 	if (set->flags & NFT_SET_MAP) {
 		args.iter.skip 	= 0;
 		args.iter.count	= 0;
@@ -1988,8 +1991,13 @@  int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
 		args.ctx	= ctx;
 
 		set->ops->walk(set, &args.iter);
-		if (args.iter.err < 0)
+		if (args.iter.err < 0) {
+			/* Destroy anonymous sets if binding fails */
+			if (set->flags & NFT_SET_ANONYMOUS)
+				nf_tables_set_destroy(ctx, set);
+
 			return args.iter.err;
+		}
 	}
 
 	binding->chain = ctx->chain;