Skip to content

Commit 4c90bba

Browse files
ummakynesFlorian Westphal
ummakynes
authored and
Florian Westphal
committed
netfilter: nf_tables: do not refresh timeout when resetting element
The dump and reset command should not refresh the timeout, this command is intended to allow users to list existing stateful objects and reset them, element expiration should be refresh via transaction instead with a specific command to achieve this, otherwise this is entering combo semantics that will be hard to be undone later (eg. a user asking to retrieve counters but _not_ requiring to refresh expiration). Fixes: 079cd63 ("netfilter: nf_tables: Introduce NFT_MSG_GETSETELEM_RESET") Signed-off-by: Pablo Neira Ayuso <[email protected]> Signed-off-by: Florian Westphal <[email protected]>
1 parent d51c42c commit 4c90bba

File tree

1 file changed

+5
-13
lines changed

1 file changed

+5
-13
lines changed

net/netfilter/nf_tables_api.c

Lines changed: 5 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -5556,7 +5556,6 @@ static int nf_tables_fill_setelem(struct sk_buff *skb,
55565556
const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
55575557
unsigned char *b = skb_tail_pointer(skb);
55585558
struct nlattr *nest;
5559-
u64 timeout = 0;
55605559

55615560
nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
55625561
if (nest == NULL)
@@ -5592,15 +5591,11 @@ static int nf_tables_fill_setelem(struct sk_buff *skb,
55925591
htonl(*nft_set_ext_flags(ext))))
55935592
goto nla_put_failure;
55945593

5595-
if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT)) {
5596-
timeout = *nft_set_ext_timeout(ext);
5597-
if (nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
5598-
nf_jiffies64_to_msecs(timeout),
5599-
NFTA_SET_ELEM_PAD))
5600-
goto nla_put_failure;
5601-
} else if (set->flags & NFT_SET_TIMEOUT) {
5602-
timeout = READ_ONCE(set->timeout);
5603-
}
5594+
if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
5595+
nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
5596+
nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)),
5597+
NFTA_SET_ELEM_PAD))
5598+
goto nla_put_failure;
56045599

56055600
if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
56065601
u64 expires, now = get_jiffies_64();
@@ -5615,9 +5610,6 @@ static int nf_tables_fill_setelem(struct sk_buff *skb,
56155610
nf_jiffies64_to_msecs(expires),
56165611
NFTA_SET_ELEM_PAD))
56175612
goto nla_put_failure;
5618-
5619-
if (reset)
5620-
*nft_set_ext_expiration(ext) = now + timeout;
56215613
}
56225614

56235615
if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {

0 commit comments

Comments
 (0)