leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

netfilter: nf_tables: support different set binding types

Browse Source 
Currently a set binding is assumed to be related to a lookup and, in
case of maps, a data load.

In order to use bindings for set updates, the loop detection checks
must be restricted to map operations only. Add a flags member to the
binding struct to hold the set "action" flags such as NFT_SET_MAP,
and perform loop detection based on these.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
Patrick McHardy
2015-04-05 14:41:07 +02:00
committed by Pablo Neira Ayuso
parent 3dd0673ac3
commit 11113e190b
3 changed files with 12 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
include/net/netfilter/nf_tables.h
View File

@@ -316,6 +316,7 @@ static inline unsigned long nft_set_gc_interval(const struct nft_set *set)
* *
* @list: set bindings list node * @list: set bindings list node
* @chain: chain containing the rule bound to the set * @chain: chain containing the rule bound to the set
* @flags: set action flags
* *
* A set binding contains all information necessary for validation * A set binding contains all information necessary for validation
* of new elements added to a bound set. * of new elements added to a bound set.
@@ -323,6 +324,7 @@ static inline unsigned long nft_set_gc_interval(const struct nft_set *set)
struct nft_set_binding { struct nft_set_binding {
struct list_head list; struct list_head list;
const struct nft_chain *chain; const struct nft_chain *chain;
u32 flags;
}; };
int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set, int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,

11
net/netfilter/nf_tables_api.c
View File

@@ -2811,12 +2811,13 @@ int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
if (!list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS) if (!list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS)
return -EBUSY; return -EBUSY;
if (set->flags & NFT_SET_MAP) { if (binding->flags & NFT_SET_MAP) {
/* If the set is already bound to the same chain all /* If the set is already bound to the same chain all
* jumps are already validated for that chain. * jumps are already validated for that chain.
*/ */
list_for_each_entry(i, &set->bindings, list) { list_for_each_entry(i, &set->bindings, list) {
if (i->chain == binding->chain) if (binding->flags & NFT_SET_MAP &&
i->chain == binding->chain)
goto bind; goto bind;
} }
@@ -3312,6 +3313,9 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
.chain = (struct nft_chain *)binding->chain, .chain = (struct nft_chain *)binding->chain,
}; };
if (!(binding->flags & NFT_SET_MAP))
continue;
err = nft_validate_data_load(&bind_ctx, dreg, err = nft_validate_data_load(&bind_ctx, dreg,
&data, d2.type); &data, d2.type);
if (err < 0) if (err < 0)
@@ -4063,7 +4067,8 @@ static int nf_tables_check_loops(const struct nft_ctx *ctx,
continue; continue;
list_for_each_entry(binding, &set->bindings, list) { list_for_each_entry(binding, &set->bindings, list) {
if (binding->chain != chain) if (!(binding->flags & NFT_SET_MAP) ||
binding->chain != chain)
continue; continue;
iter.skip = 0; iter.skip = 0;

2
net/netfilter/nft_lookup.c
View File

@@ -92,6 +92,8 @@ static int nft_lookup_init(const struct nft_ctx *ctx,
} else if (set->flags & NFT_SET_MAP) } else if (set->flags & NFT_SET_MAP)
return -EINVAL; return -EINVAL;
priv->binding.flags = set->flags & NFT_SET_MAP;
err = nf_tables_bind_set(ctx, set, &priv->binding); err = nf_tables_bind_set(ctx, set, &priv->binding);
if (err < 0) if (err < 0)
return err; return err;