@@ -343,6 +343,11 @@ static void nft_trans_commit_list_add_tail(struct net *net, struct nft_trans *tr
nft_set_is_anonymous(nft_trans_set(trans)))
list_add_tail(&trans->binding_list, &nft_net->binding_list);
break;
+ case NFT_MSG_NEWCHAIN:
+ if (!nft_trans_chain_update(trans) &&
+ nft_chain_binding(nft_trans_chain(trans)))
+ list_add_tail(&trans->binding_list, &nft_net->binding_list);
+ break;
}
list_add_tail(&trans->list, &nft_net->commit_list);
@@ -9365,6 +9370,14 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb)
return -EINVAL;
}
break;
+ case NFT_MSG_NEWCHAIN:
+ if (!nft_trans_chain_update(trans) &&
+ nft_chain_binding(nft_trans_chain(trans)) &&
+ !nft_trans_chain_bound(trans)) {
+ pr_warn_once("nftables ruleset with unbound chain\n");
+ return -EINVAL;
+ }
+ break;
}
}
Use binding list to track set transaction and to check for unbound chains before entering the commit phase. Bail out if chain binding remain unused before entering the commit step. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- v4: no changes net/netfilter/nf_tables_api.c | 13 +++++++++++++ 1 file changed, 13 insertions(+)