Message ID | 20240315170124.1584-1-tianquan23@gmail.com |
---|---|
State | New |
Headers | show |
Series | [nf] netfilter: nf_tables: do not reject dormant flag update for table with owner | expand |
On Sat, Mar 16, 2024 at 01:01:24AM +0800, Quan Tian wrote: > If a table was owned by a process, its dormant flag couldn't be updated > because the code required the table to be an orphan. > > $ nft -i > nft> add table ip test { flags owner ; } > nft> list table ip test > table ip test { # progname nft > flags owner > } > nft> add table ip test { flags owner ; flags dormant ; } > Error: Could not process rule: Operation not supported > add table ip test { flags owner ; flags dormant ; } > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Patch LGTM, thanks > Fixes: 31bf508be656 ("netfilter: nf_tables: Implement table adoption support") > Signed-off-by: Quan Tian <tianquan23@gmail.com> > --- > net/netfilter/nf_tables_api.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c > index e93f905e60b6..f06b09b32d80 100644 > --- a/net/netfilter/nf_tables_api.c > +++ b/net/netfilter/nf_tables_api.c > @@ -1219,7 +1219,8 @@ static int nf_tables_updtable(struct nft_ctx *ctx) > if ((nft_table_has_owner(ctx->table) && > !(flags & NFT_TABLE_F_OWNER)) || > (flags & NFT_TABLE_F_OWNER && > - !nft_table_is_orphan(ctx->table))) > + !(nft_table_has_owner(ctx->table) || > + nft_table_is_orphan(ctx->table)))) > return -EOPNOTSUPP; > > if ((flags ^ ctx->table->flags) & NFT_TABLE_F_PERSIST)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index e93f905e60b6..f06b09b32d80 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -1219,7 +1219,8 @@ static int nf_tables_updtable(struct nft_ctx *ctx) if ((nft_table_has_owner(ctx->table) && !(flags & NFT_TABLE_F_OWNER)) || (flags & NFT_TABLE_F_OWNER && - !nft_table_is_orphan(ctx->table))) + !(nft_table_has_owner(ctx->table) || + nft_table_is_orphan(ctx->table)))) return -EOPNOTSUPP; if ((flags ^ ctx->table->flags) & NFT_TABLE_F_PERSIST)
If a table was owned by a process, its dormant flag couldn't be updated because the code required the table to be an orphan. $ nft -i nft> add table ip test { flags owner ; } nft> list table ip test table ip test { # progname nft flags owner } nft> add table ip test { flags owner ; flags dormant ; } Error: Could not process rule: Operation not supported add table ip test { flags owner ; flags dormant ; } ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Fixes: 31bf508be656 ("netfilter: nf_tables: Implement table adoption support") Signed-off-by: Quan Tian <tianquan23@gmail.com> --- net/netfilter/nf_tables_api.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)