Commit 99a0efbe authored by Florian Westphal's avatar Florian Westphal Committed by Pablo Neira Ayuso

netfilter: nf_tables: always use an upper set size for dynsets

nft rejects rules that lack a timeout and a size limit when they're used
to add elements from packet path.

Pick a sane upperlimit instead of rejecting outright.
The upperlimit is visible to userspace, just as if it would have been
given during set declaration.
Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 8e1102d5
...@@ -36,7 +36,7 @@ static void *nft_dynset_new(struct nft_set *set, const struct nft_expr *expr, ...@@ -36,7 +36,7 @@ static void *nft_dynset_new(struct nft_set *set, const struct nft_expr *expr,
u64 timeout; u64 timeout;
void *elem; void *elem;
if (set->size && !atomic_add_unless(&set->nelems, 1, set->size)) if (!atomic_add_unless(&set->nelems, 1, set->size))
return NULL; return NULL;
timeout = priv->timeout ? : set->timeout; timeout = priv->timeout ? : set->timeout;
...@@ -216,6 +216,9 @@ static int nft_dynset_init(const struct nft_ctx *ctx, ...@@ -216,6 +216,9 @@ static int nft_dynset_init(const struct nft_ctx *ctx,
if (err < 0) if (err < 0)
goto err1; goto err1;
if (set->size == 0)
set->size = 0xffff;
priv->set = set; priv->set = set;
return 0; return 0;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment