Fix nla_policies to fully support NL_VALIDATE_STRICT

Since v5.2 (commit "netlink: re-add parse/validate functions in
strict mode") NL_VALIDATE_STRICT is enabled. Fix the ipset nla_policies
which did not support strict mode and thus the corresponding ipset
commands failed.

diff --git a/kernel/net/netfilter/ipset/ip_set_core.c b/kernel/net/netfilter/ipset/ip_set_core.c
index 7c7ff41d052b6d7e25e79bdc206f90446026a308..4d8e8b1a59c8f8d837e9896a9432045651ef4d7a 100644 (file)
--- a/kernel/net/netfilter/ipset/ip_set_core.c
+++ b/kernel/net/netfilter/ipset/ip_set_core.c
@@ -1481,6 +1481,14 @@ dump_attrs(struct nlmsghdr *nlh)
        }
 }
 
+static const struct nla_policy
+ip_set_dump_policy[IPSET_ATTR_CMD_MAX + 1] = {
+       [IPSET_ATTR_PROTOCOL]   = { .type = NLA_U8 },
+       [IPSET_ATTR_SETNAME]    = { .type = NLA_NUL_STRING,
+                                   .len = IPSET_MAXNAMELEN - 1 },
+       [IPSET_ATTR_FLAGS]      = { .type = NLA_U32 },
+};
+
 static int
 dump_init(struct netlink_callback *cb, struct ip_set_net *inst)
 {
@@ -1494,7 +1502,7 @@ dump_init(struct netlink_callback *cb, struct ip_set_net *inst)
 
        ret = NLA_PARSE(cda, IPSET_ATTR_CMD_MAX, attr,
                        nlh->nlmsg_len - min_len,
-                       ip_set_setname_policy, NULL);
+                       ip_set_dump_policy, NULL);
        if (ret)
                return ret;
 
@@ -2186,7 +2194,7 @@ static const struct nfnl_callback ip_set_netlink_subsys_cb[IPSET_MSG_MAX] = {
        [IPSET_CMD_LIST]        = {
                .call           = ip_set_dump,
                .attr_count     = IPSET_ATTR_CMD_MAX,
-               .policy         = ip_set_setname_policy,
+               .policy         = ip_set_dump_policy,
        },
        [IPSET_CMD_SAVE]        = {
                .call           = ip_set_dump,

diff --git a/kernel/net/netfilter/ipset/ip_set_hash_net.c b/kernel/net/netfilter/ipset/ip_set_hash_net.c
index 234b675863645fa113694be28dcc7db9388cb34d..923bffbbe3aa9f6ea6a6895670ad7dbc630917ab 100644 (file)
--- a/kernel/net/netfilter/ipset/ip_set_hash_net.c
+++ b/kernel/net/netfilter/ipset/ip_set_hash_net.c
@@ -369,6 +369,7 @@ static struct ip_set_type hash_net_type __read_mostly = {
                [IPSET_ATTR_IP_TO]      = { .type = NLA_NESTED },
                [IPSET_ATTR_CIDR]       = { .type = NLA_U8 },
                [IPSET_ATTR_TIMEOUT]    = { .type = NLA_U32 },
+               [IPSET_ATTR_LINENO]     = { .type = NLA_U32 },
                [IPSET_ATTR_CADT_FLAGS] = { .type = NLA_U32 },
                [IPSET_ATTR_BYTES]      = { .type = NLA_U64 },
                [IPSET_ATTR_PACKETS]    = { .type = NLA_U64 },

diff --git a/kernel/net/netfilter/ipset/ip_set_hash_netnet.c b/kernel/net/netfilter/ipset/ip_set_hash_netnet.c
index bcb6d0b4db3644bea2ef2e8d472147c3d7a81648..da4ef910b12d10c6ef74f3a1d9cdcb9a72ba8fa7 100644 (file)
--- a/kernel/net/netfilter/ipset/ip_set_hash_netnet.c
+++ b/kernel/net/netfilter/ipset/ip_set_hash_netnet.c
@@ -476,6 +476,7 @@ static struct ip_set_type hash_netnet_type __read_mostly = {
                [IPSET_ATTR_CIDR]       = { .type = NLA_U8 },
                [IPSET_ATTR_CIDR2]      = { .type = NLA_U8 },
                [IPSET_ATTR_TIMEOUT]    = { .type = NLA_U32 },
+               [IPSET_ATTR_LINENO]     = { .type = NLA_U32 },
                [IPSET_ATTR_CADT_FLAGS] = { .type = NLA_U32 },
                [IPSET_ATTR_BYTES]      = { .type = NLA_U64 },
                [IPSET_ATTR_PACKETS]    = { .type = NLA_U64 },