netfilter: ipset: Support the -exist flag with the destroy command

The -exist flag was supported with the create, add and delete commands.
In order to gracefully handle the destroy command with nonexistent sets,
the -exist flag is added to destroy too.

Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index 6f35832f0de384b4f969b2e9a8ac0c3e54eaa0de..e3c00dacec5ccb7e0fef47ef44563d78abba12d9 100644 (file)
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -1239,10 +1239,12 @@ static int ip_set_destroy(struct net *net, struct sock *ctnl,
                /* Modified by ip_set_destroy() only, which is serialized */
                inst->is_destroyed = false;
        } else {
+               u32 flags = flag_exist(nlh);
                s = find_set_and_id(inst, nla_data(attr[IPSET_ATTR_SETNAME]),
                                    &i);
                if (!s) {
-                       ret = -ENOENT;
+                       if (!(flags & IPSET_FLAG_EXIST))
+                               ret = -ENOENT;
                        goto out;
                } else if (s->ref || s->ref_netlink) {
                        ret = -IPSET_ERR_BUSY;