conntrack: api: bail out if setting up filter for flush/dump fails

Instead of asserting or simply ignoring the filter, bail out if setting up filter fails. Fixes: c2136262802f ("Adding NFCT_FILTER_DUMP_TUPLE in filter_dump_attr, using kernel CTA_FILTER API") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2024-01-24 21:42:06 +0100
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2024-01-24 22:22:06 +0100
commit: 3b620faee61fc9d356ca323ad6c8fe50b8b2b697 (patch)
tree: 9cf0ff9cb787a5a94a650a62bd1f9c1320cc900d /src/conntrack/api.c
parent: 931dc2d4c9195ab50974ce8af1a14053f2ebdc84 (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/src/conntrack/api.c b/src/conntrack/api.c
index 60c87b3..22965f1 100644
--- a/src/conntrack/api.c
+++ b/src/conntrack/api.c
@@ -850,12 +850,14 @@ __build_query_ct(struct nfnl_subsys_handle *ssh,
 	case NFCT_Q_DUMP_FILTER:
 		nfct_fill_hdr(req, IPCTNL_MSG_CT_GET, NLM_F_DUMP, AF_UNSPEC,
 			      NFNETLINK_V0);
-		assert(__build_filter_dump(req, size, data) == 0);
+		if (__build_filter_dump(req, size, data) < 0)
+			return -1;
 		break;
 	case NFCT_Q_DUMP_FILTER_RESET:
 		nfct_fill_hdr(req, IPCTNL_MSG_CT_GET_CTRZERO, NLM_F_DUMP,
 			      AF_UNSPEC, NFNETLINK_V0);
-		__build_filter_dump(req, size, data);
+		if (__build_filter_dump(req, size, data) < 0)
+			return -1;
 		break;
 	default:
 		errno = ENOTSUP;
author	Pablo Neira Ayuso <pablo@netfilter.org>	2024-01-24 21:42:06 +0100
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2024-01-24 22:22:06 +0100
commit	3b620faee61fc9d356ca323ad6c8fe50b8b2b697 (patch)
tree	9cf0ff9cb787a5a94a650a62bd1f9c1320cc900d /src/conntrack/api.c
parent	931dc2d4c9195ab50974ce8af1a14053f2ebdc84 (diff)