| From 0c5b7a501e7400869ee905b4f7af3d6717802bcb Mon Sep 17 00:00:00 2001 |
| From: Pablo Neira Ayuso <pablo@netfilter.org> |
| Date: Sat, 16 Jan 2021 19:20:15 +0100 |
| Subject: netfilter: nft_dynset: add timeout extension to template |
| |
| From: Pablo Neira Ayuso <pablo@netfilter.org> |
| |
| commit 0c5b7a501e7400869ee905b4f7af3d6717802bcb upstream. |
| |
| Otherwise, the newly create element shows no timeout when listing the |
| ruleset. If the set definition does not specify a default timeout, then |
| the set element only shows the expiration time, but not the timeout. |
| This is a problem when restoring a stateful ruleset listing since it |
| skips the timeout policy entirely. |
| |
| Fixes: 22fe54d5fefc ("netfilter: nf_tables: add support for dynamic set updates") |
| Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| net/netfilter/nft_dynset.c | 4 +++- |
| 1 file changed, 3 insertions(+), 1 deletion(-) |
| |
| --- a/net/netfilter/nft_dynset.c |
| +++ b/net/netfilter/nft_dynset.c |
| @@ -189,8 +189,10 @@ static int nft_dynset_init(const struct |
| nft_set_ext_add_length(&priv->tmpl, NFT_SET_EXT_EXPR, |
| priv->expr->ops->size); |
| if (set->flags & NFT_SET_TIMEOUT) { |
| - if (timeout || set->timeout) |
| + if (timeout || set->timeout) { |
| + nft_set_ext_add(&priv->tmpl, NFT_SET_EXT_TIMEOUT); |
| nft_set_ext_add(&priv->tmpl, NFT_SET_EXT_EXPIRATION); |
| + } |
| } |
| |
| priv->timeout = timeout; |
