From patchwork Mon Dec 10 17:20:10 2012
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Patrick McHardy <kaber@trash.net>
X-Patchwork-Id: 204995
Return-Path: <netfilter-devel-owner@vger.kernel.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id CB0C02C032B
	for <incoming@patchwork.ozlabs.org>;
	Tue, 11 Dec 2012 04:31:44 +1100 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751006Ab2LJRbm (ORCPT <rfc822;incoming@patchwork.ozlabs.org>);
	Mon, 10 Dec 2012 12:31:42 -0500
Received: from stinky.trash.net ([213.144.137.162]:36284 "EHLO
	stinky.trash.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751337Ab2LJRbl (ORCPT
	<rfc822;netfilter-devel@vger.kernel.org>);
	Mon, 10 Dec 2012 12:31:41 -0500
Received: from macbook.localnet (localhost [127.0.0.1])
	by stinky.trash.net (Postfix) with ESMTP id D5D8F9D2E1;
	Mon, 10 Dec 2012 18:20:23 +0100 (MET)
From: kaber@trash.net
To: pablo@netfilter.org
Cc: netfilter-devel@vger.kernel.org, Patrick McHardy <kaber@trash.net>
Subject: 
 =?UTF-8?q?=5BPATCH=203/5=5D=20netfilter=3A=20nf=5Ftables=3A=20destroy=20anonymous=20sets=20immediately=20if=20binding=20fails?=
Date: Mon, 10 Dec 2012 18:20:10 +0100
Message-Id: <1355160012-13952-4-git-send-email-kaber@trash.net>
X-Mailer: git-send-email 1.7.11.7
In-Reply-To: <1355160012-13952-1-git-send-email-kaber@trash.net>
References: <1355160012-13952-1-git-send-email-kaber@trash.net>
MIME-Version: 1.0
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk
List-ID: <netfilter-devel.vger.kernel.org>
X-Mailing-List: netfilter-devel@vger.kernel.org

From: Patrick McHardy <kaber@trash.net>

Treat a failed binding similar to binding+unbinding and destroy the
set immediately to avoid leaving stray sets in the table.

Signed-off-by: Patrick McHardy <kaber@trash.net>
---
 net/netfilter/nf_tables_api.c | 10 +++++++++-
 1 Datei geändert, 9 Zeilen hinzugefügt(+), 1 Zeile entfernt(-)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 570b877..c0f0cf06e 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1980,6 +1980,9 @@ int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
 {
 	struct nft_set_bind_check_args args;
 
+	if (!list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS)
+		return -EBUSY;
+
 	if (set->flags & NFT_SET_MAP) {
 		args.iter.skip 	= 0;
 		args.iter.count	= 0;
@@ -1988,8 +1991,13 @@ int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
 		args.ctx	= ctx;
 
 		set->ops->walk(set, &args.iter);
-		if (args.iter.err < 0)
+		if (args.iter.err < 0) {
+			/* Destroy anonymous sets if binding fails */
+			if (set->flags & NFT_SET_ANONYMOUS)
+				nf_tables_set_destroy(ctx, set);
+
 			return args.iter.err;
+		}
 	}
 
 	binding->chain = ctx->chain;