Skip to content

Commit abe4ffe

Browse files
fw-strlenfw-strlen
committed
netfilter: nf_tables: do not refresh timeout when resetting element
JIRA: https://issues.redhat.com/browse/RHEL-21443 Upstream Status: commit 4c90bba commit 4c90bba Author: Pablo Neira Ayuso <pablo@netfilter.org> Date: Mon Oct 2 11:57:42 2023 +0200 netfilter: nf_tables: do not refresh timeout when resetting element The dump and reset command should not refresh the timeout, this command is intended to allow users to list existing stateful objects and reset them, element expiration should be refresh via transaction instead with a specific command to achieve this, otherwise this is entering combo semantics that will be hard to be undone later (eg. a user asking to retrieve counters but _not_ requiring to refresh expiration). Fixes: 079cd63 ("netfilter: nf_tables: Introduce NFT_MSG_GETSETELEM_RESET") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Florian Westphal <fwestpha@redhat.com>
1 parent c86608d commit abe4ffe

File tree

1 file changed

+5
-13
lines changed

1 file changed

+5
-13
lines changed

net/netfilter/nf_tables_api.c

Lines changed: 5 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -5360,7 +5360,6 @@ static int nf_tables_fill_setelem(struct sk_buff *skb,
53605360
const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
53615361
unsigned char *b = skb_tail_pointer(skb);
53625362
struct nlattr *nest;
5363-
u64 timeout = 0;
53645363

53655364
nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
53665365
if (nest == NULL)
@@ -5396,15 +5395,11 @@ static int nf_tables_fill_setelem(struct sk_buff *skb,
53965395
htonl(*nft_set_ext_flags(ext))))
53975396
goto nla_put_failure;
53985397

5399-
if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT)) {
5400-
timeout = *nft_set_ext_timeout(ext);
5401-
if (nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
5402-
nf_jiffies64_to_msecs(timeout),
5403-
NFTA_SET_ELEM_PAD))
5404-
goto nla_put_failure;
5405-
} else if (set->flags & NFT_SET_TIMEOUT) {
5406-
timeout = READ_ONCE(set->timeout);
5407-
}
5398+
if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
5399+
nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
5400+
nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)),
5401+
NFTA_SET_ELEM_PAD))
5402+
goto nla_put_failure;
54085403

54095404
if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
54105405
u64 expires, now = get_jiffies_64();
@@ -5419,9 +5414,6 @@ static int nf_tables_fill_setelem(struct sk_buff *skb,
54195414
nf_jiffies64_to_msecs(expires),
54205415
NFTA_SET_ELEM_PAD))
54215416
goto nla_put_failure;
5422-
5423-
if (reset)
5424-
*nft_set_ext_expiration(ext) = now + timeout;
54255417
}
54265418

54275419
if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {

0 commit comments

Comments
 (0)