netfilter: nf_tables: reject unbound anonymous set before commit phase
authorPablo Neira Ayuso <pablo@netfilter.org>
Fri, 16 Jun 2023 13:21:33 +0000 (15:21 +0200)
committerPablo Neira Ayuso <pablo@netfilter.org>
Tue, 20 Jun 2023 20:43:41 +0000 (22:43 +0200)
commit938154b93be8cd611ddfd7bafc1849f3c4355201
tree3e06b7e06a09c107467857868c63926d8bde4a6a
parentc88c535b592d3baeee74009f3eceeeaf0fdd5e1b
netfilter: nf_tables: reject unbound anonymous set before commit phase

Add a new list to track set transaction and to check for unbound
anonymous sets before entering the commit phase.

Bail out at the end of the transaction handling if an anonymous set
remains unbound.

Fixes: 96518518cc41 ("netfilter: add nftables")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
include/net/netfilter/nf_tables.h
net/netfilter/nf_tables_api.c