Commit 91a139ce authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso
Browse files

netfilter: nft_limit: do not ignore unsupported flags 



Bail out if userspace provides unsupported flags, otherwise future
extensions to the limit expression will be silently ignored by the
kernel.

Fixes: c7862a5f ("netfilter: nft_limit: allow to invert matching criteria")
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 3c13725f

net/netfilter/nft_limit.c

+12 −7
Original line number Diff line number Diff line
@@ -58,6 +58,7 @@ static inline bool nft_limit_eval(struct nft_limit_priv *priv, u64 cost) 
static int nft_limit_init(struct nft_limit_priv *priv,

			  const struct nlattr * const tb[], bool pkts)

{

	bool invert = false;

	u64 unit, tokens;



	if (tb[NFTA_LIMIT_RATE] == NULL ||
@@ -90,19 +91,23 @@ static int nft_limit_init(struct nft_limit_priv *priv, 
				 priv->rate);

	}



	if (tb[NFTA_LIMIT_FLAGS]) {

		u32 flags = ntohl(nla_get_be32(tb[NFTA_LIMIT_FLAGS]));



		if (flags & ~NFT_LIMIT_F_INV)

			return -EOPNOTSUPP;



		if (flags & NFT_LIMIT_F_INV)

			invert = true;

	}



	priv->limit = kmalloc(sizeof(*priv->limit), GFP_KERNEL_ACCOUNT);

	if (!priv->limit)

		return -ENOMEM;



	priv->limit->tokens = tokens;

	priv->tokens_max = priv->limit->tokens;



	if (tb[NFTA_LIMIT_FLAGS]) {

		u32 flags = ntohl(nla_get_be32(tb[NFTA_LIMIT_FLAGS]));



		if (flags & NFT_LIMIT_F_INV)

			priv->invert = true;

	}

	priv->invert = invert;

	priv->limit->last = ktime_get_ns();

	spin_lock_init(&priv->limit->lock);