From: Phil Sutter <phil@nwl.cc>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org
Subject: [nf-next PATCH v2 2/2] netfilter: nf_tables: Annotate reduced expressions
Date: Thu, 12 May 2022 14:30:03 +0200 [thread overview]
Message-ID: <20220512123003.29903-3-phil@nwl.cc> (raw)
In-Reply-To: <20220512123003.29903-1-phil@nwl.cc>
Introduce NFTA_EXPR_FLAG_REDUCED and set it for expressions which were
omitted from the rule blob due to being redundant. This allows user
space to verify the rule optimizer's results.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
Changes since v1:
- Keep pointers in struct nft_regs_track const and avoid assigning from
track.cur to expr instead.
- Fix for situations where nft_expr_reduce() causes skipping of multiple
expressions (payload + bitwise for instance).
---
include/uapi/linux/netfilter/nf_tables.h | 7 +++++++
net/netfilter/nf_tables_api.c | 8 ++++++--
2 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index 36bf019322a44..1da84ebc3f27a 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -523,6 +523,13 @@ enum nft_expr_attributes {
};
#define NFTA_EXPR_MAX (__NFTA_EXPR_MAX - 1)
+/**
+ * NFTA_EXPR_FLAGS values
+ *
+ * @NFTA_EXPR_FLAG_REDUCED: redundant expression omitted from blob
+ */
+#define NFTA_EXPR_FLAG_REDUCED (1 << 0)
+
/**
* enum nft_immediate_attributes - nf_tables immediate expression netlink attributes
*
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index fddc557983119..d4fd32cf74d69 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -8360,8 +8360,8 @@ static bool nft_expr_reduce(struct nft_regs_track *track,
static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)
{
- const struct nft_expr *expr, *last;
struct nft_regs_track track = {};
+ struct nft_expr *expr, *last;
unsigned int size, data_size;
void *data, *data_boundary;
struct nft_rule_dp *prule;
@@ -8404,7 +8404,11 @@ static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *cha
track.cur = expr;
if (nft_expr_reduce(&track, expr)) {
- expr = track.cur;
+ expr->flags |= NFTA_EXPR_FLAG_REDUCED;
+ while (expr != track.cur) {
+ expr = nft_expr_next(expr);
+ expr->flags |= NFTA_EXPR_FLAG_REDUCED;
+ }
continue;
}
--
2.34.1
prev parent reply other threads:[~2022-05-12 12:30 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-12 12:30 [nf-next PATCH v2 0/2] nf_tables: Export rule optimizer results to user space Phil Sutter
2022-05-12 12:30 ` [nf-next PATCH v2 1/2] netfilter: nf_tables: Introduce expression flags Phil Sutter
2022-05-12 12:34 ` Pablo Neira Ayuso
2022-05-12 13:27 ` Phil Sutter
2022-05-12 12:30 ` Phil Sutter [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220512123003.29903-3-phil@nwl.cc \
--to=phil@nwl.cc \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.