netfilter: nf_tables_offload: return EOPNOTSUPP if rule specifies no actions

[ Upstream commit 81ec61074bcf68acfcb2820cda3ff9d9984419c7 ] If the rule only specifies the matching side, return EOPNOTSUPP. Otherwise, the front-end relies on the drivers to reject this rule. Fixes: c9626a2cbdb2 ("netfilter: nf_tables: add hardware offload support") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2019-12-07 00:49:58 +0300
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-01-12 14:21:18 +0300
commit: 36d08a41d23f060b45d2db01bd5e72d156445b65 (patch)
tree: 13156063ac37b031c4d023b5a07aa4ba4361a91b /net/netfilter
parent: 7aa02b48875f274563346d5a6097aa784360d73b (diff)
download: linux-36d08a41d23f060b45d2db01bd5e72d156445b65.tar.xz
1 files changed, 3 insertions, 0 deletions
diff --git a/net/netfilter/nf_tables_offload.c b/net/netfilter/nf_tables_offload.c
index 6f7eab502e65..e743f811245f 100644
--- a/net/netfilter/nf_tables_offload.c
+++ b/net/netfilter/nf_tables_offload.c
@@ -44,6 +44,9 @@ struct nft_flow_rule *nft_flow_rule_create(struct net *net,
 		expr = nft_expr_next(expr);
 	}
 
+	if (num_actions == 0)
+		return ERR_PTR(-EOPNOTSUPP);
+
 	flow = nft_flow_rule_alloc(num_actions);
 	if (!flow)
 		return ERR_PTR(-ENOMEM);
author	Pablo Neira Ayuso <pablo@netfilter.org>	2019-12-07 00:49:58 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2020-01-12 14:21:18 +0300
commit	36d08a41d23f060b45d2db01bd5e72d156445b65 (patch)
tree	13156063ac37b031c4d023b5a07aa4ba4361a91b /net/netfilter
parent	7aa02b48875f274563346d5a6097aa784360d73b (diff)
download	linux-36d08a41d23f060b45d2db01bd5e72d156445b65.tar.xz