Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp371766pxa; Fri, 21 Aug 2020 09:21:18 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyYiVAF6HcIGMWrhK7gXnsnc8kzbAL4eGLg3wNOoTkF2+Gf0+Rihzx6LkpwTgMlx48TkhTj X-Received: by 2002:a50:88a4:: with SMTP id d33mr3652515edd.43.1598026878558; Fri, 21 Aug 2020 09:21:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1598026878; cv=none; d=google.com; s=arc-20160816; b=zKSU00JwNLG3tgOpZp1zAdK+CF0eeERHdir89TJA8ge2FeJ4hZivdIY98Wj8ZxOQKj /N7f20B54zTsRtxIfLiK5xHCFmD2pbjBv5sQowSX0lNI+NvIR9+Nq+mPWiz2riCCZoza b/XY/UKV3nmkdMi5snhRFSCodqH7FCtV1HrgmcuCpePZBbB4F/iuSq2QWs+oUmozkVcz ovcUc13xirp9+5YXwLGc/KP3Z1HrWBFdLLdNC7anU3XJ/nUbMBHsuWaD2x/yPJl7i4/7 K8PUKUU4hnYu7LUKyA4aZRIpcDw08pzWXxZs5Byo/WZvX3OaBcVi1SY/rJF+NA1VFxZK AC/w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=scfhjnuLDRMqolOAVjAXRsI8berAUV8rYxA106TYCQE=; b=ZZXRWWOn06Zq+2miKiB4E/MJZfcQ17ddqXFLk81hRDoBYvBCsDIWZsXWMtNjPq8907 c3MYEGUupYXO3FDyqgIjDAyf+okXDR2/HLuXvqAr/ShGB/YkyDHxWImC4diZPY6kaLbp VnJ0UUlTiGF0MWElP7u4dDgRXB6UmI39s6cpbIluNh7uy+SHxWgBlGBf5xSH+SzsprTP 98nJw26nobNjShExKNWiBJKEaU7au82570aY/UpLv7XnxerZz8KfH/Abm/vYojGXkEBV DI/gmwoLK0/brhLngiDBY0eat0PLoxCzdof3dRI3IlbLWTkJd4yaQ67MfAGBIXbD/Qn3 ZaYw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=L5Xzyoza; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id um11si1442910ejb.117.2020.08.21.09.20.54; Fri, 21 Aug 2020 09:21:18 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=L5Xzyoza; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728350AbgHUQUF (ORCPT + 99 others); Fri, 21 Aug 2020 12:20:05 -0400 Received: from mail.kernel.org ([198.145.29.99]:48370 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727955AbgHUQPg (ORCPT ); Fri, 21 Aug 2020 12:15:36 -0400 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id B22D82063A; Fri, 21 Aug 2020 16:15:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1598026535; bh=q80865g4cKNeUhpRJl0wdHIIh4zKgCeHakfCqEH55pw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=L5XzyozaZ4SQCxwd5cQYOXGo/WVQrANw47f9ZPD9jc20j0eRqCO7pwQv3Ly0vb8px MBKg1PBuSVV7eTB460FfX4h2NB/fwqb//SyStxeg+RC2qktVPed+9cj87A22j0+qwe wKX9wnxnapshNPi61//ncJgguG//ygwVnnHz2sxw= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Pablo Neira Ayuso , Sasha Levin , netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org Subject: [PATCH AUTOSEL 5.8 56/62] netfilter: nf_tables: report EEXIST on overlaps Date: Fri, 21 Aug 2020 12:14:17 -0400 Message-Id: <20200821161423.347071-56-sashal@kernel.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200821161423.347071-1-sashal@kernel.org> References: <20200821161423.347071-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Pablo Neira Ayuso [ Upstream commit 77a92189ecfd061616ad531d386639aab7baaad9 ] Replace EBUSY by EEXIST in the following cases: - If the user adds a chain with a different configuration such as different type, hook and priority. - If the user adds a non-base chain that clashes with an existing basechain. - If the user adds a { key : value } mapping element and the key exists but the value differs. - If the device already belongs to an existing flowtable. User describe that this error reporting is confusing: - https://bugzilla.netfilter.org/show_bug.cgi?id=1176 - https://bugzilla.netfilter.org/show_bug.cgi?id=1413 Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin --- net/netfilter/nf_tables_api.c | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 88325b264737f..d31832d32e028 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -2037,7 +2037,7 @@ static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy, if (nla[NFTA_CHAIN_HOOK]) { if (!nft_is_base_chain(chain)) - return -EBUSY; + return -EEXIST; err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family, false); @@ -2047,21 +2047,21 @@ static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy, basechain = nft_base_chain(chain); if (basechain->type != hook.type) { nft_chain_release_hook(&hook); - return -EBUSY; + return -EEXIST; } if (ctx->family == NFPROTO_NETDEV) { if (!nft_hook_list_equal(&basechain->hook_list, &hook.list)) { nft_chain_release_hook(&hook); - return -EBUSY; + return -EEXIST; } } else { ops = &basechain->ops; if (ops->hooknum != hook.num || ops->priority != hook.priority) { nft_chain_release_hook(&hook); - return -EBUSY; + return -EEXIST; } } nft_chain_release_hook(&hook); @@ -5160,10 +5160,8 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^ nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) || nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^ - nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF)) { - err = -EBUSY; + nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF)) goto err_element_clash; - } if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) && nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) && memcmp(nft_set_ext_data(ext), @@ -5171,7 +5169,7 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) && nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) && *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2))) - err = -EBUSY; + goto err_element_clash; else if (!(nlmsg_flags & NLM_F_EXCL)) err = 0; } else if (err == -ENOTEMPTY) { @@ -6308,7 +6306,7 @@ static int nft_register_flowtable_net_hooks(struct net *net, list_for_each_entry(hook2, &ft->hook_list, list) { if (hook->ops.dev == hook2->ops.dev && hook->ops.pf == hook2->ops.pf) { - err = -EBUSY; + err = -EEXIST; goto err_unregister_net_hooks; } } -- 2.25.1