netfilter: nf_tables: report EOPNOTSUPP on unsupported flags/object type
commitd9583cdf2f
upstream. EINVAL should be used for malformed netlink messages. New userspace utility and old kernels might easily result in EINVAL when exercising new set features, which is misleading. Fixes:8aeff920dc
("netfilter: nf_tables: add stateful object reference to set elements") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
parent
aea3873fb0
commit
daefa51c43
|
@ -3598,7 +3598,7 @@ static int nf_tables_newset(struct net *net, struct sock *nlsk,
|
|||
NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
|
||||
NFT_SET_MAP | NFT_SET_EVAL |
|
||||
NFT_SET_OBJECT))
|
||||
return -EINVAL;
|
||||
return -EOPNOTSUPP;
|
||||
/* Only one of these operations is supported */
|
||||
if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ==
|
||||
(NFT_SET_MAP | NFT_SET_OBJECT))
|
||||
|
@ -3636,7 +3636,7 @@ static int nf_tables_newset(struct net *net, struct sock *nlsk,
|
|||
objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
|
||||
if (objtype == NFT_OBJECT_UNSPEC ||
|
||||
objtype > NFT_OBJECT_MAX)
|
||||
return -EINVAL;
|
||||
return -EOPNOTSUPP;
|
||||
} else if (flags & NFT_SET_OBJECT)
|
||||
return -EINVAL;
|
||||
else
|
||||
|
|
Loading…
Reference in New Issue