netfilter: nf_tables: disallow anonymous set with timeout flag

ummakynes · ummakynes · commit 16603605b667 · 2024-03-07T00:02:42.000+01:00
Anonymous sets are never used with timeout from userspace, reject this. Exception to this rule is NFT_SET_EVAL to ensure legacy meters still work. Cc: stable@vger.kernel.org Fixes: 761da29 ("netfilter: nf_tables: add set timeout API support") Reported-by: lonial con <kongln9170@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
@@ -5001,6 +5001,9 @@ static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
 		if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) ==
 			     (NFT_SET_EVAL | NFT_SET_OBJECT))
 			return -EOPNOTSUPP;
+		if ((flags & (NFT_SET_ANONYMOUS | NFT_SET_TIMEOUT | NFT_SET_EVAL)) ==
+			     (NFT_SET_ANONYMOUS | NFT_SET_TIMEOUT))
+			return -EOPNOTSUPP;
 	}
 
 	desc.dtype = 0;

Original file line number	Diff line number	Diff line change
`@@ -5001,6 +5001,9 @@ static int nf_tables_newset(struct sk_buff skb, const struct nfnl_info info,`
`5001`	`5001`	`if ((flags & (NFT_SET_EVAL \| NFT_SET_OBJECT)) ==`
`5002`	`5002`	`(NFT_SET_EVAL \| NFT_SET_OBJECT))`
`5003`	`5003`	`return -EOPNOTSUPP;`
	`5004`	`+ if ((flags & (NFT_SET_ANONYMOUS \| NFT_SET_TIMEOUT \| NFT_SET_EVAL)) ==`
	`5005`	`+ (NFT_SET_ANONYMOUS \| NFT_SET_TIMEOUT))`
	`5006`	`+ return -EOPNOTSUPP;`
`5004`	`5007`	`}`
`5005`	`5008`
`5006`	`5009`	`desc.dtype = 0;`