Re: [PATCH WIP nf-next] netfilter: nf_tables: Introduce stateful object update operation

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Florian Westphal <fw@strlen.de>
To: Fernando Fernandez Mancera <ffmancera@riseup.net>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH WIP nf-next] netfilter: nf_tables: Introduce stateful object update operation
Date: Mon, 19 Aug 2019 13:55:27 +0200	[thread overview]
Message-ID: <20190819115527.GH2588@breakpoint.cc> (raw)
In-Reply-To: <20190819111914.10514-1-ffmancera@riseup.net>

Fernando Fernandez Mancera <ffmancera@riseup.net> wrote:
> This is a WIP patch version. I still having some issues in userspace but I
> would like to get feedback about the kernel-side patch. Thanks!
> 
> Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
> ---
>  include/net/netfilter/nf_tables.h |  6 +++
>  net/netfilter/nf_tables_api.c     | 73 ++++++++++++++++++++++++++++---
>  2 files changed, 72 insertions(+), 7 deletions(-)
> 
> diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
> index dc301e3d6739..dc4e32040ea9 100644
> --- a/include/net/netfilter/nf_tables.h
> +++ b/include/net/netfilter/nf_tables.h
> @@ -1123,6 +1123,9 @@ struct nft_object_ops {
>  	int				(*dump)(struct sk_buff *skb,
>  						struct nft_object *obj,
>  						bool reset);
> +	int				(*update)(const struct nft_ctx *ctx,
> +						  const struct nlattr *const tb[],
> +						  struct nft_object *obj);
>  	const struct nft_object_type	*type;
>  };
>  
> @@ -1405,10 +1408,13 @@ struct nft_trans_elem {
>  
>  struct nft_trans_obj {
>  	struct nft_object		*obj;
> +	bool				update;
>  };
>  
>  #define nft_trans_obj(trans)	\
>  	(((struct nft_trans_obj *)trans->data)->obj)
> +#define nft_trans_obj_update(trans)	\
> +	(((struct nft_trans_obj *)trans->data)->update)
>  
>  struct nft_trans_flowtable {
>  	struct nft_flowtable		*flowtable;
> diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
> index fe3b7b0c6c66..d7b94904599c 100644
> --- a/net/netfilter/nf_tables_api.c
> +++ b/net/netfilter/nf_tables_api.c
> @@ -5122,6 +5122,48 @@ nft_obj_type_get(struct net *net, u32 objtype)
>  	return ERR_PTR(-ENOENT);
>  }
>  
> +static int nf_tables_updobj(const struct nft_ctx *ctx,
> +			    const struct nft_object_type *type,
> +			    const struct nlattr *attr,
> +			    struct nft_object *obj)
> +{
> +	struct nft_trans *trans;
> +	struct nlattr **tb;
> +	int err = -ENOMEM;
> +
> +	trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ,
> +				sizeof(struct nft_trans_obj));
> +	if (!trans)
> +		return -ENOMEM;
> +
> +	tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);

You can use kcalloc here and then remove the memset().

> +	err = obj->ops->update(ctx, (const struct nlattr * const *)tb, obj);
> +	if (err < 0)
> +		goto err;

This looks wrong, see below.

> @@ -5161,7 +5203,13 @@ static int nf_tables_newobj(struct net *net, struct sock *nlsk,
>  			NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
>  			return -EEXIST;
>  		}
> -		return 0;
> +		if (nlh->nlmsg_flags & NLM_F_REPLACE)
> +			return -EOPNOTSUPP;
> +
> +		type = nft_obj_type_get(net, objtype);
> +		nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
> +
> +		return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj);
>  	}
>  
>  		case NFT_MSG_NEWOBJ:
> -			nft_clear(net, nft_trans_obj(trans));
> -			nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
> -					     NFT_MSG_NEWOBJ);
> -			nft_trans_destroy(trans);
> +			if (nft_trans_obj_update(trans)) {
> +				nf_tables_obj_notify(&trans->ctx,
> +						     nft_trans_obj(trans),
> +						     NFT_MSG_NEWOBJ);

I would have expected the ->update() here, when committing the batch.
Under what conditions can an update() fail?

next prev parent reply	other threads:[~2019-08-19 11:55 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-08-19 11:19 [PATCH WIP nf-next] netfilter: nf_tables: Introduce stateful object update operation Fernando Fernandez Mancera
2019-08-19 11:55 ` Florian Westphal [this message]
2019-08-19 13:16   ` Fernando Fernandez Mancera

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190819115527.GH2588@breakpoint.cc \
    --to=fw@strlen.de \
    --cc=ffmancera@riseup.net \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.