From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org, kuba@kernel.org,
pabeni@redhat.com, edumazet@google.com
Subject: [PATCH net-next 15/20] netfilter: nf_tables: extended netlink error reporting for netdevice
Date: Sat, 22 Apr 2023 01:02:06 +0200 [thread overview]
Message-ID: <20230421230211.214635-16-pablo@netfilter.org> (raw)
In-Reply-To: <20230421230211.214635-1-pablo@netfilter.org>
Flowtable and netdev chains are bound to one or several netdevice,
extend netlink error reporting to specify the the netdevice that
triggers the error.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_tables_api.c | 38 ++++++++++++++++++++++-------------
1 file changed, 24 insertions(+), 14 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 44ebc5f9598e..0fd4e28fbb60 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1954,7 +1954,8 @@ static struct nft_hook *nft_hook_list_find(struct list_head *hook_list,
static int nf_tables_parse_netdev_hooks(struct net *net,
const struct nlattr *attr,
- struct list_head *hook_list)
+ struct list_head *hook_list,
+ struct netlink_ext_ack *extack)
{
struct nft_hook *hook, *next;
const struct nlattr *tmp;
@@ -1968,10 +1969,12 @@ static int nf_tables_parse_netdev_hooks(struct net *net,
hook = nft_netdev_hook_alloc(net, tmp);
if (IS_ERR(hook)) {
+ NL_SET_BAD_ATTR(extack, tmp);
err = PTR_ERR(hook);
goto err_hook;
}
if (nft_hook_list_find(hook_list, hook)) {
+ NL_SET_BAD_ATTR(extack, tmp);
kfree(hook);
err = -EEXIST;
goto err_hook;
@@ -2004,20 +2007,23 @@ struct nft_chain_hook {
static int nft_chain_parse_netdev(struct net *net,
struct nlattr *tb[],
- struct list_head *hook_list)
+ struct list_head *hook_list,
+ struct netlink_ext_ack *extack)
{
struct nft_hook *hook;
int err;
if (tb[NFTA_HOOK_DEV]) {
hook = nft_netdev_hook_alloc(net, tb[NFTA_HOOK_DEV]);
- if (IS_ERR(hook))
+ if (IS_ERR(hook)) {
+ NL_SET_BAD_ATTR(extack, tb[NFTA_HOOK_DEV]);
return PTR_ERR(hook);
+ }
list_add_tail(&hook->list, hook_list);
} else if (tb[NFTA_HOOK_DEVS]) {
err = nf_tables_parse_netdev_hooks(net, tb[NFTA_HOOK_DEVS],
- hook_list);
+ hook_list, extack);
if (err < 0)
return err;
@@ -2085,7 +2091,7 @@ static int nft_chain_parse_hook(struct net *net,
INIT_LIST_HEAD(&hook->list);
if (nft_base_chain_netdev(family, hook->num)) {
- err = nft_chain_parse_netdev(net, ha, &hook->list);
+ err = nft_chain_parse_netdev(net, ha, &hook->list, extack);
if (err < 0) {
module_put(type->owner);
return err;
@@ -7560,7 +7566,8 @@ static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX
static int nft_flowtable_parse_hook(const struct nft_ctx *ctx,
const struct nlattr *attr,
struct nft_flowtable_hook *flowtable_hook,
- struct nft_flowtable *flowtable, bool add)
+ struct nft_flowtable *flowtable,
+ struct netlink_ext_ack *extack, bool add)
{
struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
struct nft_hook *hook;
@@ -7607,7 +7614,8 @@ static int nft_flowtable_parse_hook(const struct nft_ctx *ctx,
if (tb[NFTA_FLOWTABLE_HOOK_DEVS]) {
err = nf_tables_parse_netdev_hooks(ctx->net,
tb[NFTA_FLOWTABLE_HOOK_DEVS],
- &flowtable_hook->list);
+ &flowtable_hook->list,
+ extack);
if (err < 0)
return err;
}
@@ -7750,7 +7758,8 @@ static void nft_flowtable_hooks_destroy(struct list_head *hook_list)
}
static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh,
- struct nft_flowtable *flowtable)
+ struct nft_flowtable *flowtable,
+ struct netlink_ext_ack *extack)
{
const struct nlattr * const *nla = ctx->nla;
struct nft_flowtable_hook flowtable_hook;
@@ -7761,7 +7770,7 @@ static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh,
int err;
err = nft_flowtable_parse_hook(ctx, nla[NFTA_FLOWTABLE_HOOK],
- &flowtable_hook, flowtable, false);
+ &flowtable_hook, flowtable, extack, false);
if (err < 0)
return err;
@@ -7866,7 +7875,7 @@ static int nf_tables_newflowtable(struct sk_buff *skb,
nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
- return nft_flowtable_update(&ctx, info->nlh, flowtable);
+ return nft_flowtable_update(&ctx, info->nlh, flowtable, extack);
}
nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
@@ -7907,7 +7916,7 @@ static int nf_tables_newflowtable(struct sk_buff *skb,
goto err3;
err = nft_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK],
- &flowtable_hook, flowtable, true);
+ &flowtable_hook, flowtable, extack, true);
if (err < 0)
goto err4;
@@ -7959,7 +7968,8 @@ static void nft_flowtable_hook_release(struct nft_flowtable_hook *flowtable_hook
}
static int nft_delflowtable_hook(struct nft_ctx *ctx,
- struct nft_flowtable *flowtable)
+ struct nft_flowtable *flowtable,
+ struct netlink_ext_ack *extack)
{
const struct nlattr * const *nla = ctx->nla;
struct nft_flowtable_hook flowtable_hook;
@@ -7969,7 +7979,7 @@ static int nft_delflowtable_hook(struct nft_ctx *ctx,
int err;
err = nft_flowtable_parse_hook(ctx, nla[NFTA_FLOWTABLE_HOOK],
- &flowtable_hook, flowtable, false);
+ &flowtable_hook, flowtable, extack, false);
if (err < 0)
return err;
@@ -8051,7 +8061,7 @@ static int nf_tables_delflowtable(struct sk_buff *skb,
nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
if (nla[NFTA_FLOWTABLE_HOOK])
- return nft_delflowtable_hook(&ctx, flowtable);
+ return nft_delflowtable_hook(&ctx, flowtable, extack);
if (flowtable->use > 0) {
NL_SET_BAD_ATTR(extack, attr);
--
2.30.2
next prev parent reply other threads:[~2023-04-21 23:02 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-21 23:01 [PATCH net-next 00/20] Netfilter/IPVS updates for net-next Pablo Neira Ayuso
2023-04-21 23:01 ` [PATCH net-next 01/20] netfilter: nft_exthdr: add boolean DCCP option matching Pablo Neira Ayuso
2023-04-21 23:01 ` [PATCH net-next 02/20] netfilter: nf_tables: merge nft_rules_old structure and end of ruleblob marker Pablo Neira Ayuso
2023-04-21 23:01 ` [PATCH net-next 03/20] netfilter: nf_tables: don't store address of last rule on jump Pablo Neira Ayuso
2023-04-21 23:01 ` [PATCH net-next 04/20] netfilter: nf_tables: don't store chain address " Pablo Neira Ayuso
2023-04-21 23:01 ` [PATCH net-next 05/20] netfilter: nf_tables: don't write table validation state without mutex Pablo Neira Ayuso
2023-04-21 23:01 ` [PATCH net-next 06/20] netfilter: nf_tables: make validation state per table Pablo Neira Ayuso
2023-04-21 23:01 ` [PATCH net-next 07/20] netfilter: nf_tables: remove unneeded conditional Pablo Neira Ayuso
2023-04-21 23:01 ` [PATCH net-next 08/20] netfilter: nf_tables: do not store pktinfo in traceinfo structure Pablo Neira Ayuso
2023-04-21 23:02 ` [PATCH net-next 09/20] netfilter: nf_tables: do not store verdict " Pablo Neira Ayuso
2023-04-21 23:02 ` [PATCH net-next 10/20] netfilter: nf_tables: do not store rule " Pablo Neira Ayuso
2023-04-21 23:02 ` [PATCH net-next 11/20] ipvs: Update width of source for ip_vs_sync_conn_options Pablo Neira Ayuso
2023-04-21 23:02 ` [PATCH net-next 12/20] ipvs: Consistently use array_size() in ip_vs_conn_init() Pablo Neira Ayuso
2023-04-21 23:02 ` [PATCH net-next 13/20] ipvs: Remove {Enter,Leave}Function Pablo Neira Ayuso
2023-04-21 23:02 ` [PATCH net-next 14/20] ipvs: Correct spelling in comments Pablo Neira Ayuso
2023-04-21 23:02 ` Pablo Neira Ayuso [this message]
2023-04-21 23:02 ` [PATCH net-next 16/20] netfilter: nf_tables: do not send complete notification of deletions Pablo Neira Ayuso
2023-04-21 23:02 ` [PATCH net-next 17/20] netfilter: nf_tables: rename function to destroy hook list Pablo Neira Ayuso
2023-04-21 23:02 ` [PATCH net-next 18/20] netfilter: nf_tables: support for adding new devices to an existing netdev chain Pablo Neira Ayuso
2023-04-21 23:02 ` [PATCH net-next 19/20] netfilter: nf_tables: support for deleting devices in " Pablo Neira Ayuso
2023-04-21 23:02 ` [PATCH net-next 20/20] netfilter: nf_tables: allow to create netdev chain without device Pablo Neira Ayuso
2023-04-21 23:40 ` [PATCH net-next 00/20] Netfilter/IPVS updates for net-next Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230421230211.214635-16-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).