netfilter: nf_tables_offload: return EOPNOTSUPP if rule specifies no actions

If the rule only specifies the matching side, return EOPNOTSUPP. Otherwise, the front-end relies on the drivers to reject this rule. Fixes: c9626a2cbdb2 ("netfilter: nf_tables: add hardware offload support") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2019-12-06 22:49:58 +0100
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2019-12-09 13:14:05 +0100
commit: 81ec61074bcf68acfcb2820cda3ff9d9984419c7 (patch)
tree: e60fc2f886d1f4944449f2c1f8dff19e1f0c985f /net
parent: fd57d0cbe187e93f63777d36e9f49293311d417f (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/net/netfilter/nf_tables_offload.c b/net/netfilter/nf_tables_offload.c
index d7a35da008ef..22fb18906ccf 100644
--- a/net/netfilter/nf_tables_offload.c
+++ b/net/netfilter/nf_tables_offload.c
@@ -44,6 +44,9 @@ struct nft_flow_rule *nft_flow_rule_create(struct net *net,
 		expr = nft_expr_next(expr);
 	}
 
+	if (num_actions == 0)
+		return ERR_PTR(-EOPNOTSUPP);
+
 	flow = nft_flow_rule_alloc(num_actions);
 	if (!flow)
 		return ERR_PTR(-ENOMEM);
author	Pablo Neira Ayuso <pablo@netfilter.org>	2019-12-06 22:49:58 +0100
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2019-12-09 13:14:05 +0100
commit	81ec61074bcf68acfcb2820cda3ff9d9984419c7 (patch)
tree	e60fc2f886d1f4944449f2c1f8dff19e1f0c985f /net
parent	fd57d0cbe187e93f63777d36e9f49293311d417f (diff)