Re: [PATCH net-next 9/9] netfilter: nf_tables: add support to destroy operation

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Vlad Buslov <vladbu@nvidia.com>
To: Florian Westphal <fw@strlen.de>,
	Fernando Fernandez Mancera <ffmancera@riseup.net>
Cc: <netdev@vger.kernel.org>, Jakub Kicinski <kuba@kernel.org>,
	Eric Dumazet <edumazet@google.com>,
	Paolo Abeni <pabeni@redhat.com>,
	"David S. Miller" <davem@davemloft.net>,
	<netfilter-devel@vger.kernel.org>,
	Pablo Neira Ayuso <pablo@netfilter.org>,
	Maor Dickman <maord@nvidia.com>
Subject: Re: [PATCH net-next 9/9] netfilter: nf_tables: add support to destroy operation
Date: Thu, 19 Jan 2023 09:29:50 +0200	[thread overview]
Message-ID: <87o7qvasfv.fsf@nvidia.com> (raw)
In-Reply-To: <20230118123208.17167-10-fw@strlen.de>

On Wed 18 Jan 2023 at 13:32, Florian Westphal <fw@strlen.de> wrote:
> From: Fernando Fernandez Mancera <ffmancera@riseup.net>
>
> Introduce NFT_MSG_DESTROY* message type. The destroy operation performs a
> delete operation but ignoring the ENOENT errors.
>
> This is useful for the transaction semantics, where failing to delete an
> object which does not exist results in aborting the transaction.
>
> This new command allows the transaction to proceed in case the object
> does not exist.
>
> Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> Signed-off-by: Florian Westphal <fw@strlen.de>
> ---
>  include/uapi/linux/netfilter/nf_tables.h |  14 +++
>  net/netfilter/nf_tables_api.c            | 111 +++++++++++++++++++++--
>  2 files changed, 117 insertions(+), 8 deletions(-)
>
> diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
> index cfa844da1ce6..ff677f3a6cad 100644
> --- a/include/uapi/linux/netfilter/nf_tables.h
> +++ b/include/uapi/linux/netfilter/nf_tables.h
> @@ -98,6 +98,13 @@ enum nft_verdicts {
>   * @NFT_MSG_GETFLOWTABLE: get flow table (enum nft_flowtable_attributes)
>   * @NFT_MSG_DELFLOWTABLE: delete flow table (enum nft_flowtable_attributes)
>   * @NFT_MSG_GETRULE_RESET: get rules and reset stateful expressions (enum nft_obj_attributes)
> + * @NFT_MSG_DESTROYTABLE: destroy a table (enum nft_table_attributes)
> + * @NFT_MSG_DESTROYCHAIN: destroy a chain (enum nft_chain_attributes)
> + * @NFT_MSG_DESTROYRULE: destroy a rule (enum nft_rule_attributes)
> + * @NFT_MSG_DESTROYSET: destroy a set (enum nft_set_attributes)
> + * @NFT_MSG_DESTROYSETELEM: destroy a set element (enum nft_set_elem_attributes)
> + * @NFT_MSG_DESTROYOBJ: destroy a stateful object (enum nft_object_attributes)
> + * @NFT_MSG_DESTROYFLOWTABLE: destroy flow table (enum nft_flowtable_attributes)
>   */
>  enum nf_tables_msg_types {
>  	NFT_MSG_NEWTABLE,
> @@ -126,6 +133,13 @@ enum nf_tables_msg_types {
>  	NFT_MSG_GETFLOWTABLE,
>  	NFT_MSG_DELFLOWTABLE,
>  	NFT_MSG_GETRULE_RESET,
> +	NFT_MSG_DESTROYTABLE,
> +	NFT_MSG_DESTROYCHAIN,
> +	NFT_MSG_DESTROYRULE,
> +	NFT_MSG_DESTROYSET,
> +	NFT_MSG_DESTROYSETELEM,
> +	NFT_MSG_DESTROYOBJ,
> +	NFT_MSG_DESTROYFLOWTABLE,
>  	NFT_MSG_MAX,
>  };
>  
> diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
> index 8c09e4d12ac1..974b95dece1d 100644
> --- a/net/netfilter/nf_tables_api.c
> +++ b/net/netfilter/nf_tables_api.c
> @@ -1401,6 +1401,10 @@ static int nf_tables_deltable(struct sk_buff *skb, const struct nfnl_info *info,
>  	}
>  
>  	if (IS_ERR(table)) {
> +		if (PTR_ERR(table) == -ENOENT &&
> +		    NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYTABLE)
> +			return 0;
> +
>  		NL_SET_BAD_ATTR(extack, attr);
>  		return PTR_ERR(table);
>  	}
> @@ -2639,6 +2643,10 @@ static int nf_tables_delchain(struct sk_buff *skb, const struct nfnl_info *info,
>  		chain = nft_chain_lookup(net, table, attr, genmask);
>  	}
>  	if (IS_ERR(chain)) {
> +		if (PTR_ERR(chain) == -ENOENT &&
> +		    NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYCHAIN)
> +			return 0;
> +
>  		NL_SET_BAD_ATTR(extack, attr);
>  		return PTR_ERR(chain);
>  	}
> @@ -3716,6 +3724,10 @@ static int nf_tables_delrule(struct sk_buff *skb, const struct nfnl_info *info,
>  		chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
>  					 genmask);
>  		if (IS_ERR(chain)) {
> +			if (PTR_ERR(rule) == -ENOENT &&

Coverity complains that at this point rule is not initialized yet, which
looks like to be the case to me.

[...]

next prev parent reply	other threads:[~2023-01-19  7:35 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-01-18 12:31 [PATCH net-next 0/9] Netfilter updates for net-next Florian Westphal
2023-01-18 12:32 ` [PATCH net-next 1/9] netfilter: conntrack: sctp: use nf log infrastructure for invalid packets Florian Westphal
2023-01-18 13:30   ` patchwork-bot+netdevbpf
2023-01-18 12:32 ` [PATCH net-next 2/9] netfilter: conntrack: remove pr_debug calls Florian Westphal
2023-01-18 12:32 ` [PATCH net-next 3/9] netfilter: conntrack: avoid reload of ct->status Florian Westphal
2023-01-23 11:38   ` Roi Dayan
2023-01-18 12:32 ` [PATCH net-next 4/9] netfilter: conntrack: move rcu read lock to nf_conntrack_find_get Florian Westphal
2023-01-18 12:32 ` [PATCH net-next 5/9] netfilter: ip_tables: remove clusterip target Florian Westphal
2023-01-18 12:32 ` [PATCH net-next 6/9] netfilter: nf_tables: add static key to skip retpoline workarounds Florian Westphal
2023-01-18 12:32 ` [PATCH net-next 7/9] netfilter: nf_tables: avoid retpoline overhead for objref calls Florian Westphal
2023-01-18 12:32 ` [PATCH net-next 8/9] netfilter: nf_tables: avoid retpoline overhead for some ct expression calls Florian Westphal
2023-01-18 12:32 ` [PATCH net-next 9/9] netfilter: nf_tables: add support to destroy operation Florian Westphal
2023-01-19  7:29   ` Vlad Buslov [this message]
2023-01-20  9:58     ` Fernando F. Mancera
2023-01-20 10:06       ` Fernando F. Mancera

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87o7qvasfv.fsf@nvidia.com \
    --to=vladbu@nvidia.com \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=ffmancera@riseup.net \
    --cc=fw@strlen.de \
    --cc=kuba@kernel.org \
    --cc=maord@nvidia.com \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=pablo@netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.