From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org, kuba@kernel.org,
pabeni@redhat.com, edumazet@google.com, fw@strlen.de,
horms@kernel.org
Subject: [PATCH net-next 7/7] netfilter: nf_tables: export set count and backend name to userspace
Date: Thu, 24 Apr 2025 23:14:55 +0200 [thread overview]
Message-ID: <20250424211455.242482-8-pablo@netfilter.org> (raw)
In-Reply-To: <20250424211455.242482-1-pablo@netfilter.org>
From: Florian Westphal <fw@strlen.de>
nf_tables picks a suitable set backend implementation (bitmap, hash,
rbtree..) based on the userspace requirements.
Figuring out the chosen backend requires information about the set flags
and the kernel version. Export this to userspace so nft can include this
information in '--debug=netlink' output.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/uapi/linux/netfilter/nf_tables.h | 4 ++++
net/netfilter/nf_tables_api.c | 26 ++++++++++++++++++++++++
2 files changed, 30 insertions(+)
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index 49c944e78463..7d6bc19a0153 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -394,6 +394,8 @@ enum nft_set_field_attributes {
* @NFTA_SET_HANDLE: set handle (NLA_U64)
* @NFTA_SET_EXPR: set expression (NLA_NESTED: nft_expr_attributes)
* @NFTA_SET_EXPRESSIONS: list of expressions (NLA_NESTED: nft_list_attributes)
+ * @NFTA_SET_TYPE: set backend type (NLA_STRING)
+ * @NFTA_SET_COUNT: number of set elements (NLA_U32)
*/
enum nft_set_attributes {
NFTA_SET_UNSPEC,
@@ -415,6 +417,8 @@ enum nft_set_attributes {
NFTA_SET_HANDLE,
NFTA_SET_EXPR,
NFTA_SET_EXPRESSIONS,
+ NFTA_SET_TYPE,
+ NFTA_SET_COUNT,
__NFTA_SET_MAX
};
#define NFTA_SET_MAX (__NFTA_SET_MAX - 1)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index a133e1c175ce..b28f6730e26d 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -4569,6 +4569,8 @@ static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
[NFTA_SET_HANDLE] = { .type = NLA_U64 },
[NFTA_SET_EXPR] = { .type = NLA_NESTED },
[NFTA_SET_EXPRESSIONS] = NLA_POLICY_NESTED_ARRAY(nft_expr_policy),
+ [NFTA_SET_TYPE] = { .type = NLA_REJECT },
+ [NFTA_SET_COUNT] = { .type = NLA_REJECT },
};
static const struct nla_policy nft_concat_policy[NFTA_SET_FIELD_MAX + 1] = {
@@ -4763,6 +4765,27 @@ static u32 nft_set_userspace_size(const struct nft_set_ops *ops, u32 size)
return size;
}
+static noinline_for_stack int
+nf_tables_fill_set_info(struct sk_buff *skb, const struct nft_set *set)
+{
+ unsigned int nelems;
+ char str[40];
+ int ret;
+
+ ret = snprintf(str, sizeof(str), "%ps", set->ops);
+
+ /* Not expected to happen and harmless: NFTA_SET_TYPE is dumped
+ * to userspace purely for informational/debug purposes.
+ */
+ DEBUG_NET_WARN_ON_ONCE(ret >= sizeof(str));
+
+ if (nla_put_string(skb, NFTA_SET_TYPE, str))
+ return -EMSGSIZE;
+
+ nelems = nft_set_userspace_size(set->ops, atomic_read(&set->nelems));
+ return nla_put_be32(skb, NFTA_SET_COUNT, htonl(nelems));
+}
+
static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
const struct nft_set *set, u16 event, u16 flags)
{
@@ -4843,6 +4866,9 @@ static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
nla_nest_end(skb, nest);
+ if (nf_tables_fill_set_info(skb, set))
+ goto nla_put_failure;
+
if (set->num_exprs == 1) {
nest = nla_nest_start_noflag(skb, NFTA_SET_EXPR);
if (nf_tables_fill_expr_info(skb, set->exprs[0], false) < 0)
--
2.30.2
next prev parent reply other threads:[~2025-04-24 21:15 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-24 21:14 [PATCH net-next,v2 0/7] Netfilter updates for net-next Pablo Neira Ayuso
2025-04-24 21:14 ` [PATCH net-next 1/7] netfilter: xt_IDLETIMER: convert timeouts to secs_to_jiffies() Pablo Neira Ayuso
2025-04-24 21:14 ` [PATCH net-next 2/7] netfilter: xt_cgroup: Make it independent from net_cls Pablo Neira Ayuso
2025-04-24 21:14 ` [PATCH net-next 3/7] net: cgroup: Guard users of sock_cgroup_classid() Pablo Neira Ayuso
2025-04-24 21:14 ` [PATCH net-next 4/7] netfilter: Exclude LEGACY TABLES on PREEMPT_RT Pablo Neira Ayuso
2025-04-24 21:14 ` [PATCH net-next 5/7] netfilter: conntrack: Remove redundant NFCT_ALIGN call Pablo Neira Ayuso
2025-04-24 21:14 ` [PATCH net-next 6/7] docs: tproxy: fix formatting for nft code block Pablo Neira Ayuso
2025-04-24 21:14 ` Pablo Neira Ayuso [this message]
2025-04-25 16:18 ` [PATCH net-next,v2 0/7] Netfilter updates for net-next Jakub Kicinski
2025-04-25 17:59 ` Florian Westphal
-- strict thread matches above, loose matches on Subject: below --
2025-04-22 20:23 [PATCH net-next " Pablo Neira Ayuso
2025-04-22 20:23 ` [PATCH net-next 7/7] netfilter: nf_tables: export set count and backend name to userspace Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250424211455.242482-8-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=fw@strlen.de \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).