Skip to content

Commit 33431b9

Browse files
PlaidCatPlaidCat
committed
netfilter: nftables: add helper function to flush set elements
jira LE-3201 cve CVE-2024-27017 Rebuild_History Non-Buildable kernel-rt-4.18.0-553.27.1.rt7.368.el8_10 commit-author Pablo Neira Ayuso <[email protected]> commit e6ba7cb Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-rt-4.18.0-553.27.1.rt7.368.el8_10/e6ba7cb6.failed This patch adds nft_set_flush() which prepares for the catch-all element support. Signed-off-by: Pablo Neira Ayuso <[email protected]> (cherry picked from commit e6ba7cb) Signed-off-by: Jonathan Maple <[email protected]> # Conflicts: # net/netfilter/nf_tables_api.c
1 parent dce3a50 commit 33431b9

File tree

1 file changed

+112
-0
lines changed

1 file changed

+112
-0
lines changed

ciq/ciq_backports/kernel-rt-4.18.0-553.27.1.rt7.368.el8_10/e6ba7cb6.failed

Lines changed: 112 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,112 @@
1+
netfilter: nftables: add helper function to flush set elements
2+
3+
jira LE-3201
4+
cve CVE-2024-27017
5+
Rebuild_History Non-Buildable kernel-rt-4.18.0-553.27.1.rt7.368.el8_10
6+
commit-author Pablo Neira Ayuso <[email protected]>
7+
commit e6ba7cb63b8ae0e13e6c2acc4067097c1181f6bf
8+
Empty-Commit: Cherry-Pick Conflicts during history rebuild.
9+
Will be included in final tarball splat. Ref for failed cherry-pick at:
10+
ciq/ciq_backports/kernel-rt-4.18.0-553.27.1.rt7.368.el8_10/e6ba7cb6.failed
11+
12+
This patch adds nft_set_flush() which prepares for the catch-all
13+
element support.
14+
15+
Signed-off-by: Pablo Neira Ayuso <[email protected]>
16+
(cherry picked from commit e6ba7cb63b8ae0e13e6c2acc4067097c1181f6bf)
17+
Signed-off-by: Jonathan Maple <[email protected]>
18+
19+
# Conflicts:
20+
# net/netfilter/nf_tables_api.c
21+
diff --cc net/netfilter/nf_tables_api.c
22+
index a8d03cec29c3,3342f260d534..000000000000
23+
--- a/net/netfilter/nf_tables_api.c
24+
+++ b/net/netfilter/nf_tables_api.c
25+
@@@ -5955,12 -5839,13 +5955,12 @@@ fail_elem
26+
return err;
27+
}
28+
29+
- static int nft_flush_set(const struct nft_ctx *ctx,
30+
- struct nft_set *set,
31+
- const struct nft_set_iter *iter,
32+
- struct nft_set_elem *elem)
33+
+ static int nft_setelem_flush(const struct nft_ctx *ctx,
34+
+ struct nft_set *set,
35+
+ const struct nft_set_iter *iter,
36+
+ struct nft_set_elem *elem)
37+
{
38+
struct nft_trans *trans;
39+
- int err;
40+
41+
trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
42+
sizeof(struct nft_trans_elem), GFP_ATOMIC);
43+
@@@ -5973,17 -5861,33 +5973,35 @@@
44+
nft_setelem_data_deactivate(ctx->net, set, elem);
45+
nft_trans_elem_set(trans) = set;
46+
nft_trans_elem(trans) = *elem;
47+
- nft_trans_commit_list_add_tail(ctx->net, trans);
48+
+ list_add_tail(&trans->list, &ctx->net->nft.commit_list);
49+
50+
return 0;
51+
-err1:
52+
- kfree(trans);
53+
- return err;
54+
}
55+
56+
++<<<<<<< HEAD
57+
+static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
58+
+ struct sk_buff *skb, const struct nlmsghdr *nlh,
59+
+ const struct nlattr * const nla[],
60+
+ struct netlink_ext_ack *extack)
61+
++=======
62+
+ static int nft_set_flush(struct nft_ctx *ctx, struct nft_set *set, u8 genmask)
63+
+ {
64+
+ struct nft_set_iter iter = {
65+
+ .genmask = genmask,
66+
+ .fn = nft_setelem_flush,
67+
+ };
68+
+
69+
+ set->ops->walk(ctx, set, &iter);
70+
+
71+
+ return iter.err;
72+
+ }
73+
+
74+
+ static int nf_tables_delsetelem(struct sk_buff *skb,
75+
+ const struct nfnl_info *info,
76+
+ const struct nlattr * const nla[])
77+
++>>>>>>> e6ba7cb63b8a (netfilter: nftables: add helper function to flush set elements)
78+
{
79+
- struct netlink_ext_ack *extack = info->extack;
80+
- u8 genmask = nft_genmask_next(info->net);
81+
- struct net *net = info->net;
82+
+ u8 genmask = nft_genmask_next(net);
83+
const struct nlattr *attr;
84+
struct nft_set *set;
85+
struct nft_ctx ctx;
86+
@@@ -5997,22 -5901,11 +6015,15 @@@
87+
set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
88+
if (IS_ERR(set))
89+
return PTR_ERR(set);
90+
- if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
91+
+
92+
+ if (nft_set_is_anonymous(set))
93+
+ return -EOPNOTSUPP;
94+
+
95+
+ if (!list_empty(&set->bindings) && (set->flags & NFT_SET_CONSTANT))
96+
return -EBUSY;
97+
98+
- if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
99+
- struct nft_set_iter iter = {
100+
- .genmask = genmask,
101+
- .fn = nft_flush_set,
102+
- };
103+
- set->ops->walk(&ctx, set, &iter);
104+
-
105+
- return iter.err;
106+
- }
107+
+ if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
108+
+ return nft_set_flush(&ctx, set, genmask);
109+
110+
nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
111+
err = nft_del_setelem(&ctx, set, attr);
112+
* Unmerged path net/netfilter/nf_tables_api.c

0 commit comments

Comments
 (0)