netfilter: nf_tables: bogus ENOENT when destroying element which does not exist

fw-strlen · fw-strlen · commit 3f8af1566565 · 2024-01-19T13:25:08.000+01:00
JIRA: https://issues.redhat.com/browse/RHEL-21443 Upstream Status: commit a7d5a95 commit a7d5a95 Author: Pablo Neira Ayuso <pablo@netfilter.org> Date: Mon Nov 13 20:34:56 2023 +0100 netfilter: nf_tables: bogus ENOENT when destroying element which does not exist destroy element command bogusly reports ENOENT in case a set element does not exist. ENOENT errors are skipped, however, err is still set and propagated to userspace. # nft destroy element ip raw BLACKLIST { 1.2.3.4 } Error: Could not process rule: No such file or directory destroy element ip raw BLACKLIST { 1.2.3.4 } ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Fixes: f80a612 ("netfilter: nf_tables: add support to destroy operation") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fwestpha@redhat.com>
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
@@ -7012,10 +7012,11 @@ static int nf_tables_delsetelem(struct sk_buff *skb,
 
 		if (err < 0) {
 			NL_SET_BAD_ATTR(extack, attr);
-			break;
+			return err;
 		}
 	}
-	return err;
+
+	return 0;
 }
 
 /*

Original file line number	Diff line number	Diff line change
`@@ -7012,10 +7012,11 @@ static int nf_tables_delsetelem(struct sk_buff *skb,`
`7012`	`7012`
`7013`	`7013`	`if (err < 0) {`
`7014`	`7014`	`NL_SET_BAD_ATTR(extack, attr);`
`7015`		`- break;`
	`7015`	`+ return err;`
`7016`	`7016`	`}`
`7017`	`7017`	`}`
`7018`		`- return err;`
	`7018`	`+`
	`7019`	`+ return 0;`
`7019`	`7020`	`}`
`7020`	`7021`
`7021`	`7022`	`/*`