netfilter: nft_dynset: report EOPNOTSUPP on missing set feature

If userspace requests a feature which is not available the original set
definition, then bail out with EOPNOTSUPP. If userspace sends
unsupported dynset flags (new feature not supported by this kernel),
then report EOPNOTSUPP to userspace. EINVAL should be only used to
report malformed netlink messages from userspace.

Fixes: 22fe54d5fefc ("netfilter: nf_tables: add support for dynamic set updates")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c
index 983a1d5ca3ab5bb9b3f1cf8dc59208532bbd6d5b..f35df221a6334b848e626f71d316103dd061fa2d 100644 (file)
--- a/net/netfilter/nft_dynset.c
+++ b/net/netfilter/nft_dynset.c
@@ -177,7 +177,7 @@ static int nft_dynset_init(const struct nft_ctx *ctx,
                u32 flags = ntohl(nla_get_be32(tb[NFTA_DYNSET_FLAGS]));
 
                if (flags & ~NFT_DYNSET_F_INV)
-                       return -EINVAL;
+                       return -EOPNOTSUPP;
                if (flags & NFT_DYNSET_F_INV)
                        priv->invert = true;
        }
@@ -210,7 +210,7 @@ static int nft_dynset_init(const struct nft_ctx *ctx,
        timeout = 0;
        if (tb[NFTA_DYNSET_TIMEOUT] != NULL) {
                if (!(set->flags & NFT_SET_TIMEOUT))
-                       return -EINVAL;
+                       return -EOPNOTSUPP;
 
                err = nf_msecs_to_jiffies64(tb[NFTA_DYNSET_TIMEOUT], &timeout);
                if (err)
@@ -224,7 +224,7 @@ static int nft_dynset_init(const struct nft_ctx *ctx,
 
        if (tb[NFTA_DYNSET_SREG_DATA] != NULL) {
                if (!(set->flags & NFT_SET_MAP))
-                       return -EINVAL;
+                       return -EOPNOTSUPP;
                if (set->dtype == NFT_DATA_VERDICT)
                        return -EOPNOTSUPP;