netfilter: nf_tables: use NLM_F_NONREC for deletion requests

Bail out if user requests non-recursive deletion for tables and sets.
This new flags tells nf_tables netlink interface to reject deletions if
tables and sets have content.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index d95dfafea1e7d5a868a1ee6f7f2cdd19efe2f3c3..47fc7cd3f936a8b4403afc918618eb0cab2d78f7 100644 (file)
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -860,6 +860,10 @@ static int nf_tables_deltable(struct net *net, struct sock *nlsk,
        if (IS_ERR(table))
                return PTR_ERR(table);
 
+       if (nlh->nlmsg_flags & NLM_F_NONREC &&
+           table->use > 0)
+               return -EBUSY;
+
        ctx.afi = afi;
        ctx.table = table;
 
@@ -3225,7 +3229,9 @@ static int nf_tables_delset(struct net *net, struct sock *nlsk,
        set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
        if (IS_ERR(set))
                return PTR_ERR(set);
-       if (!list_empty(&set->bindings))
+
+       if (!list_empty(&set->bindings) ||
+           (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0))
                return -EBUSY;
 
        return nft_delset(&ctx, set);