Commit 77a92189 authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso
Browse files

netfilter: nf_tables: report EEXIST on overlaps 

Replace EBUSY by EEXIST in the following cases:

- If the user adds a chain with a different configuration such as different
  type, hook and priority.

- If the user adds a non-base chain that clashes with an existing basechain.

- If the user adds a { key : value } mapping element and the key exists
  but the value differs.

- If the device already belongs to an existing flowtable.

User describe that this error reporting is confusing:

- https://bugzilla.netfilter.org/show_bug.cgi?id=1176
- https://bugzilla.netfilter.org/show_bug.cgi?id=1413



Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 83d9dcba

net/netfilter/nf_tables_api.c

+7 −9
Original line number Diff line number Diff line
@@ -2097,7 +2097,7 @@ static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy, 


	if (nla[NFTA_CHAIN_HOOK]) {

		if (!nft_is_base_chain(chain))

			return -EBUSY;

			return -EEXIST;



		err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family,

					   false);
@@ -2107,21 +2107,21 @@ static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy, 
		basechain = nft_base_chain(chain);

		if (basechain->type != hook.type) {

			nft_chain_release_hook(&hook);

			return -EBUSY;

			return -EEXIST;

		}



		if (ctx->family == NFPROTO_NETDEV) {

			if (!nft_hook_list_equal(&basechain->hook_list,

						 &hook.list)) {

				nft_chain_release_hook(&hook);

				return -EBUSY;

				return -EEXIST;

			}

		} else {

			ops = &basechain->ops;

			if (ops->hooknum != hook.num ||

			    ops->priority != hook.priority) {

				nft_chain_release_hook(&hook);

				return -EBUSY;

				return -EEXIST;

			}

		}

		nft_chain_release_hook(&hook);
@@ -5262,10 +5262,8 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, 
			if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^

			    nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||

			    nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^

			    nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF)) {

				err = -EBUSY;

			    nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF))

				goto err_element_clash;

			}

			if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&

			     nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&

			     memcmp(nft_set_ext_data(ext),
@@ -5273,7 +5271,7 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, 
			    (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&

			     nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&

			     *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))

				err = -EBUSY;

				goto err_element_clash;

			else if (!(nlmsg_flags & NLM_F_EXCL))

				err = 0;

		} else if (err == -ENOTEMPTY) {
@@ -6423,7 +6421,7 @@ static int nft_register_flowtable_net_hooks(struct net *net, 
			list_for_each_entry(hook2, &ft->hook_list, list) {

				if (hook->ops.dev == hook2->ops.dev &&

				    hook->ops.pf == hook2->ops.pf) {

					err = -EBUSY;

					err = -EEXIST;

					goto err_unregister_net_hooks;

				}

			}

CRA Git | Maintained and supported by SUSTech CRA and CCSE