netfilter: nf_tables: allow to register flowtable with no devices

A flowtable might be composed of dynamic interfaces only. Such dynamic
interfaces might show up at a later stage. This patch allows users to
register a flowtable with no devices. Once the dynamic interface becomes
available, the user adds the dynamic devices to the flowtable.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
Pablo Neira Ayuso 2020-05-20 15:44:37 +02:00
parent abadb2f865
commit 05abe4456f
1 changed files with 11 additions and 9 deletions

View File

@ -1724,8 +1724,6 @@ static int nf_tables_parse_netdev_hooks(struct net *net,
goto err_hook;
}
}
if (!n)
return -EINVAL;
return 0;
@ -1762,6 +1760,9 @@ static int nft_chain_parse_netdev(struct net *net,
hook_list);
if (err < 0)
return err;
if (list_empty(hook_list))
return -EINVAL;
} else {
return -EINVAL;
}
@ -6209,8 +6210,7 @@ static int nft_flowtable_parse_hook(const struct nft_ctx *ctx,
return err;
if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
!tb[NFTA_FLOWTABLE_HOOK_PRIORITY] ||
!tb[NFTA_FLOWTABLE_HOOK_DEVS])
!tb[NFTA_FLOWTABLE_HOOK_PRIORITY])
return -EINVAL;
hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
@ -6219,11 +6219,13 @@ static int nft_flowtable_parse_hook(const struct nft_ctx *ctx,
priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
err = nf_tables_parse_netdev_hooks(ctx->net,
tb[NFTA_FLOWTABLE_HOOK_DEVS],
&flowtable_hook->list);
if (err < 0)
return err;
if (tb[NFTA_FLOWTABLE_HOOK_DEVS]) {
err = nf_tables_parse_netdev_hooks(ctx->net,
tb[NFTA_FLOWTABLE_HOOK_DEVS],
&flowtable_hook->list);
if (err < 0)
return err;
}
flowtable_hook->priority = priority;
flowtable_hook->num = hooknum;