netfilter: nf_tables: disallow element removal on anonymous sets

[sfrench/cifs-2.6.git] / net / netfilter / nf_tables_api.c

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 7b59311931fb049039d5568fd8ef885fa41ebd15..c1e485aee763f4b1f911b15deb76cced8ed2faa1 100644 (file)
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1446,8 +1446,7 @@ static int nft_flush_table(struct nft_ctx *ctx)
                if (!nft_is_active_next(ctx->net, set))
                        continue;
 
-               if (nft_set_is_anonymous(set) &&
-                   !list_empty(&set->bindings))
+               if (nft_set_is_anonymous(set))
                        continue;
 
                err = nft_delset(ctx, set);
@@ -7191,8 +7190,10 @@ static int nf_tables_delsetelem(struct sk_buff *skb,
        if (IS_ERR(set))
                return PTR_ERR(set);
 
-       if (!list_empty(&set->bindings) &&
-           (set->flags & (NFT_SET_CONSTANT | NFT_SET_ANONYMOUS)))
+       if (nft_set_is_anonymous(set))
+               return -EOPNOTSUPP;
+
+       if (!list_empty(&set->bindings) && (set->flags & NFT_SET_CONSTANT))
                return -EBUSY;
 
        nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);