Commit b75a3e83 authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso
Browse files

netfilter: nf_tables: allow netdevice to be used only once per flowtable 



Allow netdevice only once per flowtable, otherwise hit EEXIST.

Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 3f0465a9

net/netfilter/nf_tables_api.c

+17 −0
Original line number Diff line number Diff line
@@ -1538,6 +1538,19 @@ err_hook_alloc: 
	return ERR_PTR(err);

}



static bool nft_hook_list_find(struct list_head *hook_list,

			       const struct nft_hook *this)

{

	struct nft_hook *hook;



	list_for_each_entry(hook, hook_list, list) {

		if (this->ops.dev == hook->ops.dev)

			return true;

	}



	return false;

}



static int nf_tables_parse_netdev_hooks(struct net *net,

					const struct nlattr *attr,

					struct list_head *hook_list)
@@ -1557,6 +1570,10 @@ static int nf_tables_parse_netdev_hooks(struct net *net, 
			err = PTR_ERR(hook);

			goto err_hook;

		}

		if (nft_hook_list_find(hook_list, hook)) {

			err = -EEXIST;

			goto err_hook;

		}

		list_add_tail(&hook->list, hook_list);

		n++;

CRA Git | Maintained and supported by SUSTech CRA and CCSE