From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Sun, 2 Aug 2020 02:56:37 +0200
Subject: netfilter: nf_tables: extended netlink error reporting for
expressions
Patch-mainline: v5.9-rc1
Git-commit: 83d9dcba06c53e24e7dc47d51607d5cf9b50e5f9
References: bsc#1176447
This patch extends 36dd1bcc07e5 ("netfilter: nf_tables: initial support
for extended ACK reporting") to include netlink extended error reporting
for expressions. This allows userspace to identify what rule expression
is triggering the error.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: Thomas Bogendoerfer <tbogendoerfer@suse.de>
---
net/netfilter/nf_tables_api.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -2520,6 +2520,7 @@ nla_put_failure:
struct nft_expr_info {
const struct nft_expr_ops *ops;
+ const struct nlattr *attr;
struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
};
@@ -2567,7 +2568,9 @@ static int nf_tables_expr_parse(const st
} else
ops = type->ops;
+ info->attr = nla;
info->ops = ops;
+
return 0;
err1:
@@ -3237,8 +3240,10 @@ static int nf_tables_newrule(struct net
expr = nft_expr_first(rule);
for (i = 0; i < n; i++) {
err = nf_tables_newexpr(&ctx, &info[i], expr);
- if (err < 0)
+ if (err < 0) {
+ NL_SET_BAD_ATTR(extack, info[i].attr);
goto err2;
+ }
if (info[i].ops->validate)
nft_validate_state_update(net, NFT_VALIDATE_NEED);