From: Shmulik Ladkani <shmulik@nsof.io>
To: netfilter-devel@vger.kernel.org, Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Willem de Bruijn <willemb@google.com>,
rbk@nsof.io, shmulik@nsof.io, Rafael Buchbinder <rafi@rbk.ms>
Subject: [PATCH v2 1/2] iptables: support match info fixup after tc_init
Date: Sun, 17 Sep 2017 14:20:30 +0300 [thread overview]
Message-ID: <20170917112031.8644-2-shmulik@nsof.io> (raw)
In-Reply-To: <20170917112031.8644-1-shmulik@nsof.io>
From: Rafael Buchbinder <rafi@rbk.ms>
From: Rafael Buchbinder <rafi@rbk.ms>
This commit introduces a framework to fixup match info,
which may be required by an extension.
Signed-off-by: Rafael Buchbinder <rafi@rbk.ms>
Signed-off-by: Shmulik Ladkani <shmulik@nsof.io>
---
include/xtables.h | 3 +++
iptables/ip6tables.c | 35 +++++++++++++++++++++++++++++++++++
iptables/iptables.c | 34 ++++++++++++++++++++++++++++++++++
3 files changed, 72 insertions(+)
diff --git a/include/xtables.h b/include/xtables.h
index e9bc3b7d..687cfe9f 100644
--- a/include/xtables.h
+++ b/include/xtables.h
@@ -273,6 +273,9 @@ struct xtables_match {
/* ip is struct ipt_ip * for example */
void (*save)(const void *ip, const struct xt_entry_match *match);
+ /* Fixes the match info after init. */
+ void (*tc_init_fixup)(struct xt_entry_match *match);
+
/* Print match name or alias */
const char *(*alias)(const struct xt_entry_match *match);
diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index 49bd006f..0a6afa77 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -925,6 +925,39 @@ delete_chain6(const xt_chainlabel chain, int verbose,
return ip6tc_delete_chain(chain, handle);
}
+
+static int
+tc_init_fixup_match(struct xt_entry_match *m)
+{
+ const struct xtables_match *match =
+ xtables_find_match(m->u.user.name, XTF_TRY_LOAD, NULL);
+
+ if (match) {
+ if (match->tc_init_fixup && m->u.user.revision == match->revision)
+ match->tc_init_fixup(m);
+ }
+
+ /* Don't stop iterating. */
+ return 0;
+}
+
+static void
+tc_init_fixup(struct xtc_handle *handle)
+{
+ const char *chain;
+
+ for (chain = ip6tc_first_chain(handle);
+ chain;
+ chain = ip6tc_next_chain(handle)) {
+ const struct ip6t_entry *entry = ip6tc_first_rule(chain, handle);
+
+ while (entry) {
+ IP6T_MATCH_ITERATE(entry, tc_init_fixup_match);
+ entry = ip6tc_next_rule(entry, handle);
+ }
+ }
+}
+
static int
list_entries(const xt_chainlabel chain, int rulenum, int verbose, int numeric,
int expanded, int linenumbers, struct xtc_handle *handle)
@@ -1795,6 +1828,8 @@ int do_command6(int argc, char *argv[], char **table,
"can't initialize ip6tables table `%s': %s",
*table, ip6tc_strerror(errno));
+ tc_init_fixup(*handle);
+
if (command == CMD_APPEND
|| command == CMD_DELETE
|| command == CMD_CHECK
diff --git a/iptables/iptables.c b/iptables/iptables.c
index 69d19fec..f220a8e4 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -909,6 +909,38 @@ delete_chain4(const xt_chainlabel chain, int verbose,
return iptc_delete_chain(chain, handle);
}
+static int
+tc_init_fixup_match(struct xt_entry_match *m)
+{
+ const struct xtables_match *match =
+ xtables_find_match(m->u.user.name, XTF_TRY_LOAD, NULL);
+
+ if (match) {
+ if (match->tc_init_fixup && m->u.user.revision == match->revision)
+ match->tc_init_fixup(m);
+ }
+
+ /* Don't stop iterating. */
+ return 0;
+}
+
+static void
+tc_init_fixup(struct xtc_handle *handle)
+{
+ const char *chain;
+
+ for (chain = iptc_first_chain(handle);
+ chain;
+ chain = iptc_next_chain(handle)) {
+ const struct ipt_entry *entry = iptc_first_rule(chain, handle);
+
+ while (entry) {
+ IPT_MATCH_ITERATE(entry, tc_init_fixup_match);
+ entry = iptc_next_rule(entry, handle);
+ }
+ }
+}
+
static int
list_entries(const xt_chainlabel chain, int rulenum, int verbose, int numeric,
int expanded, int linenumbers, struct xtc_handle *handle)
@@ -1781,6 +1813,8 @@ int do_command4(int argc, char *argv[], char **table,
"can't initialize iptables table `%s': %s",
*table, iptc_strerror(errno));
+ tc_init_fixup(*handle);
+
if (command == CMD_APPEND
|| command == CMD_DELETE
|| command == CMD_CHECK
--
2.14.1
next prev parent reply other threads:[~2017-09-17 11:20 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-17 11:20 [PATCH v2 0/2] xt_bpf: fix handling of pinned objects Shmulik Ladkani
2017-09-17 11:20 ` Shmulik Ladkani [this message]
2017-09-18 16:28 ` [PATCH v2 1/2] iptables: support match info fixup after tc_init Pablo Neira Ayuso
2017-09-18 17:00 ` Shmulik Ladkani
2017-09-18 17:23 ` Pablo Neira Ayuso
2017-09-18 17:50 ` Willem de Bruijn
2017-09-18 17:54 ` Pablo Neira Ayuso
2017-10-04 14:33 ` Pablo Neira Ayuso
2017-10-04 14:38 ` Shmulik Ladkani
2017-09-18 18:04 ` Jan Engelhardt
2017-09-17 11:20 ` [PATCH v2 2/2] extensions: xt_bpf: get the pinned ebpf object when match is initialized Shmulik Ladkani
2017-09-18 16:22 ` Willem de Bruijn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170917112031.8644-2-shmulik@nsof.io \
--to=shmulik@nsof.io \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=rafi@rbk.ms \
--cc=rbk@nsof.io \
--cc=willemb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.