From: Florian Westphal <fw@strlen.de>
To: netdev@breakpoint.cc
Cc: Jakub Kicinski <kuba@kernel.org>,
eric@breakpoint.cc, Paolo Abeni <pabeni@redhat.com>,
"David S. Miller" <davem@davemloft.net>,
netfilter-devel <netfilter-devel@vger.kernel.org>
Subject: [PATCH net-next 1/9] netfilter: nf_tables: relax set/map validation checks
Date: Thu, 18 May 2023 11:46:34 +0200 [thread overview]
Message-ID: <20230518094642.84097-2-fw@strlen.de> (raw)
In-Reply-To: <20230518094642.84097-1-fw@strlen.de>
Its currently not allowed to perform queries on a map, for example:
table t {
map m {
typeof ip saddr : meta mark
..
chain c {
ip saddr @m counter
will fail, because kernel requires that userspace provides a destination
register when the referenced set is a map.
However, internally there is no real distinction between sets and maps,
maps are just sets where each key is associated with a value.
Relax this so that maps can be used just like sets.
This allows to have rules that query if a given key exists
without making use of the associated value.
This also permits != checks which don't work for map lookups.
When no destination reg is given for a map, then permit this for named
maps.
Data and dump paths need to be updated to consider priv->dreg_set
instead of the 'set-is-a-map' check.
Checks in reduce and validate callbacks are not changed, this
can be relaxed later if a need arises.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
net/netfilter/nft_lookup.c | 23 +++++++++++++++--------
1 file changed, 15 insertions(+), 8 deletions(-)
diff --git a/net/netfilter/nft_lookup.c b/net/netfilter/nft_lookup.c
index 03ef4fdaa460..29ac48cdd6db 100644
--- a/net/netfilter/nft_lookup.c
+++ b/net/netfilter/nft_lookup.c
@@ -19,6 +19,7 @@ struct nft_lookup {
struct nft_set *set;
u8 sreg;
u8 dreg;
+ bool dreg_set;
bool invert;
struct nft_set_binding binding;
};
@@ -75,7 +76,7 @@ void nft_lookup_eval(const struct nft_expr *expr,
}
if (ext) {
- if (set->flags & NFT_SET_MAP)
+ if (priv->dreg_set)
nft_data_copy(®s->data[priv->dreg],
nft_set_ext_data(ext), set->dlen);
@@ -122,11 +123,8 @@ static int nft_lookup_init(const struct nft_ctx *ctx,
if (flags & ~NFT_LOOKUP_F_INV)
return -EINVAL;
- if (flags & NFT_LOOKUP_F_INV) {
- if (set->flags & NFT_SET_MAP)
- return -EINVAL;
+ if (flags & NFT_LOOKUP_F_INV)
priv->invert = true;
- }
}
if (tb[NFTA_LOOKUP_DREG] != NULL) {
@@ -140,8 +138,17 @@ static int nft_lookup_init(const struct nft_ctx *ctx,
set->dlen);
if (err < 0)
return err;
- } else if (set->flags & NFT_SET_MAP)
- return -EINVAL;
+ priv->dreg_set = true;
+ } else if (set->flags & NFT_SET_MAP) {
+ /* Map given, but user asks for lookup only (i.e. to
+ * ignore value assoicated with key).
+ *
+ * This makes no sense for anonymous maps since they are
+ * scoped to the rule, but for named sets this can be useful.
+ */
+ if (set->flags & NFT_SET_ANONYMOUS)
+ return -EINVAL;
+ }
priv->binding.flags = set->flags & NFT_SET_MAP;
@@ -188,7 +195,7 @@ static int nft_lookup_dump(struct sk_buff *skb,
goto nla_put_failure;
if (nft_dump_register(skb, NFTA_LOOKUP_SREG, priv->sreg))
goto nla_put_failure;
- if (priv->set->flags & NFT_SET_MAP)
+ if (priv->dreg_set)
if (nft_dump_register(skb, NFTA_LOOKUP_DREG, priv->dreg))
goto nla_put_failure;
if (nla_put_be32(skb, NFTA_LOOKUP_FLAGS, htonl(flags)))
--
2.40.1
next prev parent reply other threads:[~2023-05-18 9:46 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-18 9:46 [PATCH net-next 0/9] Netfilter updates for net-next Florian Westphal
2023-05-18 9:46 ` Florian Westphal [this message]
2023-05-18 9:46 ` [PATCH net-next 2/9] netfilter: nf_tables: always increment set element count Florian Westphal
2023-05-18 9:46 ` [PATCH net-next 3/9] netfilter: nft_exthdr: add boolean DCCP option matching Florian Westphal
2023-05-18 9:46 ` [PATCH net-next 4/9] netfilter: Reorder fields in 'struct nf_conntrack_expect' Florian Westphal
2023-05-18 9:46 ` [PATCH net-next 5/9] netfilter: nft_set_pipapo: Use struct_size() Florian Westphal
2023-05-18 9:46 ` [PATCH net-next 6/9] netfilter: conntrack: allow insertion clash of gre protocol Florian Westphal
2023-05-18 9:46 ` [PATCH net-next 7/9] netfilter: flowtable: simplify route logic Florian Westphal
2023-05-18 9:46 ` [PATCH net-next 8/9] netfilter: flowtable: split IPv4 datapath in helper functions Florian Westphal
2023-05-18 9:46 ` [PATCH net-next 9/9] netfilter: flowtable: split IPv6 " Florian Westphal
-- strict thread matches above, loose matches on Subject: below --
2023-05-18 10:07 [PATCH net-next 0/9] Netfilter updates for net-next Florian Westphal
2023-05-18 10:07 ` [PATCH net-next 1/9] netfilter: nf_tables: relax set/map validation checks Florian Westphal
2023-05-18 22:50 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230518094642.84097-2-fw@strlen.de \
--to=fw@strlen.de \
--cc=davem@davemloft.net \
--cc=eric@breakpoint.cc \
--cc=kuba@kernel.org \
--cc=netdev@breakpoint.cc \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.