netfilter: nf_tables: disallow element removal on anonymous sets

JIRA: https://issues.redhat.com/browse/RHEL-1720
JIRA: https://issues.redhat.com/browse/RHEL-1721
Upstream Status: commit 23a3bfd

commit 23a3bfd
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Sun Sep 10 19:04:45 2023 +0200

    netfilter: nf_tables: disallow element removal on anonymous sets

    Anonymous sets need to be populated once at creation and then they are
    bound to rule since 938154b ("netfilter: nf_tables: reject unbound
    anonymous set before commit phase"), otherwise transaction reports
    EINVAL.

    Userspace does not need to delete elements of anonymous sets that are
    not yet bound, reject this with EOPNOTSUPP.

    From flush command path, skip anonymous sets, they are expected to be
    bound already. Otherwise, EINVAL is hit at the end of this transaction
    for unbound sets.

    Fixes: 9651851 ("netfilter: add nftables")
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Signed-off-by: Florian Westphal <fwestpha@redhat.com>

Author: fw-strlen

net/netfilter/nf_tables_api.c

@@ -1358,8 +1358,7 @@ static int nft_flush_table(struct nft_ctx *ctx)
 		if (!nft_is_active_next(ctx->net, set))
 			continue;
 
-		if (nft_set_is_anonymous(set) &&
-		    !list_empty(&set->bindings))
+		if (nft_set_is_anonymous(set))
 			continue;
 
 		err = nft_delset(ctx, set);
@@ -6884,8 +6883,10 @@ static int nf_tables_delsetelem(struct sk_buff *skb,
 	if (IS_ERR(set))
 		return PTR_ERR(set);
 
-	if (!list_empty(&set->bindings) &&
-	    (set->flags & (NFT_SET_CONSTANT | NFT_SET_ANONYMOUS)))
+	if (nft_set_is_anonymous(set))
+		return -EOPNOTSUPP;
+
+	if (!list_empty(&set->bindings) && (set->flags & NFT_SET_CONSTANT))
 		return -EBUSY;
 
 	nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);