Commit 0617c3de authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso
Browse files

netfilter: nf_tables: reject invalid set policy 



Report -EINVAL in case userspace provides a unsupported set backend
policy.

Fixes: c50b960c ("netfilter: nf_tables: implement proper set selection")
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent ea937f77

net/netfilter/nf_tables_api.c

+9 −1
Original line number Diff line number Diff line
@@ -5048,8 +5048,16 @@ static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info, 
	}



	desc.policy = NFT_SET_POL_PERFORMANCE;

	if (nla[NFTA_SET_POLICY] != NULL)

	if (nla[NFTA_SET_POLICY] != NULL) {

		desc.policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));

		switch (desc.policy) {

		case NFT_SET_POL_PERFORMANCE:

		case NFT_SET_POL_MEMORY:

			break;

		default:

			return -EOPNOTSUPP;

		}

	}



	if (nla[NFTA_SET_DESC] != NULL) {

		err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]);