Commit 81ec6107 authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso
Browse files

netfilter: nf_tables_offload: return EOPNOTSUPP if rule specifies no actions 



If the rule only specifies the matching side, return EOPNOTSUPP.
Otherwise, the front-end relies on the drivers to reject this rule.

Fixes: c9626a2c ("netfilter: nf_tables: add hardware offload support")
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent fd57d0cb

net/netfilter/nf_tables_offload.c

+3 −0
Original line number Diff line number Diff line
@@ -44,6 +44,9 @@ struct nft_flow_rule *nft_flow_rule_create(struct net *net, 
		expr = nft_expr_next(expr);

	}



	if (num_actions == 0)

		return ERR_PTR(-EOPNOTSUPP);



	flow = nft_flow_rule_alloc(num_actions);

	if (!flow)

		return ERR_PTR(-ENOMEM);

CRA Git | Maintained and supported by SUSTech CRA and CCSE