From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Sun, 2 Aug 2020 03:05:25 +0200
Subject: netfilter: nf_tables: report EEXIST on overlaps
Patch-mainline: v5.9-rc1
Git-commit: 77a92189ecfd061616ad531d386639aab7baaad9
References: bsc#1176447
Replace EBUSY by EEXIST in the following cases:
- If the user adds a chain with a different configuration such as different
type, hook and priority.
- If the user adds a non-base chain that clashes with an existing basechain.
- If the user adds a { key : value } mapping element and the key exists
but the value differs.
- If the device already belongs to an existing flowtable.
User describe that this error reporting is confusing:
- https://bugzilla.netfilter.org/show_bug.cgi?id=1176
- https://bugzilla.netfilter.org/show_bug.cgi?id=1413
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: Thomas Bogendoerfer <tbogendoerfer@suse.de>
---
net/netfilter/nf_tables_api.c | 16 +++++++---------
1 file changed, 7 insertions(+), 9 deletions(-)
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -2108,7 +2108,7 @@ static int nf_tables_updchain(struct nft
if (nla[NFTA_CHAIN_HOOK]) {
if (!nft_is_base_chain(chain))
- return -EBUSY;
+ return -EEXIST;
err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family,
false);
@@ -2118,21 +2118,21 @@ static int nf_tables_updchain(struct nft
basechain = nft_base_chain(chain);
if (basechain->type != hook.type) {
nft_chain_release_hook(&hook);
- return -EBUSY;
+ return -EEXIST;
}
if (ctx->family == NFPROTO_NETDEV) {
if (!nft_hook_list_equal(&basechain->hook_list,
&hook.list)) {
nft_chain_release_hook(&hook);
- return -EBUSY;
+ return -EEXIST;
}
} else {
ops = &basechain->ops;
if (ops->hooknum != hook.num ||
ops->priority != hook.priority) {
nft_chain_release_hook(&hook);
- return -EBUSY;
+ return -EEXIST;
}
}
nft_chain_release_hook(&hook);
@@ -5309,10 +5309,8 @@ static int nft_add_set_elem(struct nft_c
if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
- nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF)) {
- err = -EBUSY;
+ nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF))
goto err_element_clash;
- }
if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
memcmp(nft_set_ext_data(ext),
@@ -5320,7 +5318,7 @@ static int nft_add_set_elem(struct nft_c
(nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
*nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
- err = -EBUSY;
+ goto err_element_clash;
else if (!(nlmsg_flags & NLM_F_EXCL))
err = 0;
} else if (err == -ENOTEMPTY) {
@@ -6507,7 +6505,7 @@ static int nft_register_flowtable_net_ho
list_for_each_entry(hook2, &ft->hook_list, list) {
if (hook->ops.dev == hook2->ops.dev &&
hook->ops.pf == hook2->ops.pf) {
- err = -EBUSY;
+ err = -EEXIST;
goto err_unregister_net_hooks;
}
}