diff mbox series

[nf-next,v2,2/9] netfilter: nf_tables: reject element expiration with no timeout

Message ID 20240902231726.171964-2-pablo@netfilter.org
State Changes Requested
Headers show
Series [nf-next,v2,1/9] netfilter: nf_tables: elements with timeout below CONFIG_HZ never expire | expand

Commit Message

Pablo Neira Ayuso Sept. 2, 2024, 11:17 p.m. UTC 
If element timeout is unset and set provides no default timeout, the
element expiration is silently ignored, reject this instead to let user
know this is unsupported.

Also prepare for supporting timeout that never expire, where zero
timeout and expiration must be also rejected.

Fixes: 8e1102d5a159 ("netfilter: nf_tables: support timeouts larger than 23 days")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
v2: remove leftover sentence in patch description, as per Phil.

 net/netfilter/nf_tables_api.c | 3 +++
 1 file changed, 3 insertions(+)
diff mbox series

Patch

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 6de74dae50fc..1884125ebb28 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -6917,6 +6917,9 @@  static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
 	if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) {
 		if (!(set->flags & NFT_SET_TIMEOUT))
 			return -EINVAL;
+		if (timeout == 0)
+			return -EOPNOTSUPP;
+
 		err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION],
 					    &expiration);
 		if (err)