diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2024-09-03 01:06:49 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2024-09-03 18:18:21 +0200 |
| commit | d2dc429ecb4e79ad164028d965c00f689e6f6d06 (patch) | |
| tree | 13584430b629cbb3c99745310cfa78483aa7f1db /net/netfilter | |
| parent | e0c47281723f301894c14e6f5cd5884fdfb813f9 (diff) | |
| download | linux-d2dc429ecb4e79ad164028d965c00f689e6f6d06.tar.gz linux-d2dc429ecb4e79ad164028d965c00f689e6f6d06.tar.bz2 linux-d2dc429ecb4e79ad164028d965c00f689e6f6d06.zip | |
netfilter: nf_tables: reject element expiration with no timeout
If element timeout is unset and set provides no default timeout, the
element expiration is silently ignored, reject this instead to let user
know this is unsupported.
Also prepare for supporting timeout that never expire, where zero
timeout and expiration must be also rejected.
Fixes: 8e1102d5a159 ("netfilter: nf_tables: support timeouts larger than 23 days")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/netfilter')
| -rw-r--r-- | net/netfilter/nf_tables_api.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index b49fcd7148d3..da75bc1de466 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -6923,6 +6923,9 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) { if (!(set->flags & NFT_SET_TIMEOUT)) return -EINVAL; + if (timeout == 0) + return -EOPNOTSUPP; + err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION], &expiration); if (err) |