[nf,5/5] netfilter: nf_tables: add call validate callback.

Message ID 20180515122414.29570-1-ap420073@gmail.com
State RFC
Delegated to: Pablo Neira
Headers show
Series
  • netfilter: nf_tables: add validate non-basechain ruleset routine
Related show

Commit Message

Taehee Yoo May 15, 2018, 12:24 p.m.
A validate callback is called just before calling a ->commit callback.
If it is failed, ->abort is called.

Signed-off-by: Taehee Yoo <ap420073@gmail.com>
---
 net/netfilter/nfnetlink.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

Patch

diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index 03ead8a..b9b6401 100644
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@@ -441,8 +441,21 @@  static void nfnetlink_rcv_batch(struct sk_buff *skb, struct nlmsghdr *nlh,
 		kfree_skb(skb);
 		goto replay;
 	} else if (status == NFNL_BATCH_DONE) {
+		if (ss->validate) {
+			err = ss->validate(net);
+			if (err < 0) {
+				if (nfnl_err_add(&err_list, nlmsg_hdr(oskb),
+						 err, &extack) < 0) {
+					nfnl_err_reset(&err_list);
+					netlink_ack(oskb, nlmsg_hdr(oskb),
+						    -ENOMEM, NULL);
+				}
+				goto abort;
+			}
+		}
 		ss->commit(net, oskb);
 	} else {
+abort:
 		ss->abort(net, oskb);
 	}