releases/5.4.160/netfilter-nft_dynset-relax-superfluous-check-on-set-.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 696c4e568f82edff9c5a2341a23edc14e5867c8c Mon Sep 17 00:00:00 2001
 From: Sasha Levin <sashal@kernel.org>
 Date: Sat, 25 Sep 2021 22:40:26 +0200
 Subject: netfilter: nft_dynset: relax superfluous check on set updates

 From: Pablo Neira Ayuso <pablo@netfilter.org>

 [ Upstream commit 7b1394892de8d95748d05e3ee41e85edb4abbfa1 ]

 Relax this condition to make add and update commands idempotent for sets
 with no timeout. The eval function already checks if the set element
 timeout is available and updates it if the update command is used.

 Fixes: 22fe54d5fefc ("netfilter: nf_tables: add support for dynamic set updates")
 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 Signed-off-by: Sasha Levin <sashal@kernel.org>
 ---
  net/netfilter/nft_dynset.c | 11 +----------
  1 file changed, 1 insertion(+), 10 deletions(-)

 diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c
 index 95415d2b81c93..6fdea0e57db8a 100644
 --- a/net/netfilter/nft_dynset.c
 +++ b/net/netfilter/nft_dynset.c
 @@ -164,17 +164,8 @@ static int nft_dynset_init(const struct nft_ctx *ctx,
  		return -EBUSY;

  	priv->op = ntohl(nla_get_be32(tb[NFTA_DYNSET_OP]));
 -	switch (priv->op) {
 -	case NFT_DYNSET_OP_ADD:
 -	case NFT_DYNSET_OP_DELETE:
 -		break;
 -	case NFT_DYNSET_OP_UPDATE:
 -		if (!(set->flags & NFT_SET_TIMEOUT))
 -			return -EOPNOTSUPP;
 -		break;
 -	default:
 +	if (priv->op > NFT_DYNSET_OP_DELETE)
  		return -EOPNOTSUPP;
 -	}

  	timeout = 0;
  	if (tb[NFTA_DYNSET_TIMEOUT] != NULL) {
 --
 2.33.0
	From 696c4e568f82edff9c5a2341a23edc14e5867c8c Mon Sep 17 00:00:00 2001
	From: Sasha Levin <sashal@kernel.org>
	Date: Sat, 25 Sep 2021 22:40:26 +0200
	Subject: netfilter: nft_dynset: relax superfluous check on set updates

	From: Pablo Neira Ayuso <pablo@netfilter.org>

	[ Upstream commit 7b1394892de8d95748d05e3ee41e85edb4abbfa1 ]

	Relax this condition to make add and update commands idempotent for sets
	with no timeout. The eval function already checks if the set element
	timeout is available and updates it if the update command is used.

	Fixes: 22fe54d5fefc ("netfilter: nf_tables: add support for dynamic set updates")
	Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
	Signed-off-by: Sasha Levin <sashal@kernel.org>
	---
	net/netfilter/nft_dynset.c \| 11 +----------
	1 file changed, 1 insertion(+), 10 deletions(-)

	diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c
	index 95415d2b81c93..6fdea0e57db8a 100644
	--- a/net/netfilter/nft_dynset.c
	+++ b/net/netfilter/nft_dynset.c
	@@ -164,17 +164,8 @@ static int nft_dynset_init(const struct nft_ctx *ctx,
	return -EBUSY;

	priv->op = ntohl(nla_get_be32(tb[NFTA_DYNSET_OP]));
	- switch (priv->op) {
	- case NFT_DYNSET_OP_ADD:
	- case NFT_DYNSET_OP_DELETE:
	- break;
	- case NFT_DYNSET_OP_UPDATE:
	- if (!(set->flags & NFT_SET_TIMEOUT))
	- return -EOPNOTSUPP;
	- break;
	- default:
	+ if (priv->op > NFT_DYNSET_OP_DELETE)
	return -EOPNOTSUPP;
	- }

	timeout = 0;
	if (tb[NFTA_DYNSET_TIMEOUT] != NULL) {
	--
	2.33.0