netfilter: nf_tables: always use an upper set size for dynsets
nft rejects rules that lack a timeout and a size limit when they're used to add elements from packet path. Pick a sane upperlimit instead of rejecting outright. The upperlimit is visible to userspace, just as if it would have been given during set declaration. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
Florian Westphal
Pablo Neira Ayuso
parent
8e1102d5a1
commit
99a0efbeeb
1 changed files with 4 additions and 1 deletions
|
|
@ -36,7 +36,7 @@ static void *nft_dynset_new(struct nft_set *set, const struct nft_expr *expr,
|
|||
u64 timeout;
|
||||
void *elem;
|
||||
|
||||
if (set->size && !atomic_add_unless(&set->nelems, 1, set->size))
|
||||
if (!atomic_add_unless(&set->nelems, 1, set->size))
|
||||
return NULL;
|
||||
|
||||
timeout = priv->timeout ? : set->timeout;
|
||||
|
|
@ -216,6 +216,9 @@ static int nft_dynset_init(const struct nft_ctx *ctx,
|
|||
if (err < 0)
|
||||
goto err1;
|
||||
|
||||
if (set->size == 0)
|
||||
set->size = 0xffff;
|
||||
|
||||
priv->set = set;
|
||||
return 0;
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue