netfilter: nf_tables: report EOPNOTSUPP on unsupported flags/object type

commit d9583cdf2f38d0f526d9a8c8564dd2e35e649bc7 upstream.

EINVAL should be used for malformed netlink messages. New userspace
utility and old kernels might easily result in EINVAL when exercising
new set features, which is misleading.

Fixes: 8aeff920dcc9 ("netfilter: nf_tables: add stateful object reference to set elements")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 5881f66688171dee4a5bb4a039a1a28f9cea59f6..1b8a53081632ffab249737a89af59ef3fe2906da 100644 (file)
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -3450,7 +3450,7 @@ static int nf_tables_newset(struct net *net, struct sock *nlsk,
                              NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
                              NFT_SET_MAP | NFT_SET_EVAL |
                              NFT_SET_OBJECT))
-                       return -EINVAL;
+                       return -EOPNOTSUPP;
                /* Only one of these operations is supported */
                if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ==
                             (NFT_SET_MAP | NFT_SET_OBJECT))
@@ -3488,7 +3488,7 @@ static int nf_tables_newset(struct net *net, struct sock *nlsk,
                objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
                if (objtype == NFT_OBJECT_UNSPEC ||
                    objtype > NFT_OBJECT_MAX)
-                       return -EINVAL;
+                       return -EOPNOTSUPP;
        } else if (flags & NFT_SET_OBJECT)
                return -EINVAL;
        else