netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: kaber@trash.net
To: pablo@netfilter.org
Cc: netfilter-devel@vger.kernel.org, Patrick McHardy <kaber@trash.net>
Subject: [PATCH 04/11] netfilter: nf_tables: move policy to struct nft_base_chain
Date: Wed, 12 Dec 2012 19:47:34 +0100	[thread overview]
Message-ID: <1355338061-5517-5-git-send-email-kaber@trash.net> (raw)
In-Reply-To: <1355338061-5517-1-git-send-email-kaber@trash.net>

From: Patrick McHardy <kaber@trash.net>

Non-base-chains can not have a policy, so move the policy member
to struct nft_base_chain. Also return an error when trying to add
a policy to a non-base-chain.

Signed-off-by: Patrick McHardy <kaber@trash.net>
---
 include/net/netfilter/nf_tables.h |  4 +++-
 net/netfilter/nf_tables_api.c     | 26 +++++++++++++++-----------
 net/netfilter/nf_tables_core.c    |  2 +-
 3 Dateien geändert, 19 Zeilen hinzugefügt(+), 13 Zeilen entfernt(-)

diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 86fd951..d1a8e9e 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -355,7 +355,6 @@ struct nft_chain {
 	struct list_head		rules;
 	struct list_head		list;
 	u8				flags;
-	u8				policy;
 	u16				use;
 	u16				level;
 	char				name[NFT_CHAIN_MAXNAMELEN];
@@ -372,11 +371,14 @@ enum nft_chain_type {
  *	struct nft_base_chain - nf_tables base chain
  *
  *	@ops: netfilter hook ops
+ *	@type: chain type
+ *	@policy: default policy
  *	@chain: the chain
  */
 struct nft_base_chain {
 	struct nf_hook_ops		ops;
 	enum nft_chain_type		type;
+	u8				policy;
 	struct nft_chain		chain;
 };
 
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 9768881..11502db 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -531,8 +531,11 @@ static int nf_tables_fill_chain_info(struct sk_buff *skb, u32 portid, u32 seq,
 		goto nla_put_failure;
 
 	if (chain->flags & NFT_BASE_CHAIN) {
-		const struct nf_hook_ops *ops = &nft_base_chain(chain)->ops;
-		struct nlattr *nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
+		const struct nft_base_chain *basechain = nft_base_chain(chain);
+		const struct nf_hook_ops *ops = &basechain->ops;
+		struct nlattr *nest;
+
+		nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
 		if (nest == NULL)
 			goto nla_put_failure;
 		if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
@@ -541,7 +544,8 @@ static int nf_tables_fill_chain_info(struct sk_buff *skb, u32 portid, u32 seq,
 			goto nla_put_failure;
 		nla_nest_end(skb, nest);
 
-		if (nla_put_be32(skb, NFTA_CHAIN_POLICY, htonl(chain->policy)))
+		if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
+				 htonl(basechain->policy)))
 			goto nla_put_failure;
 
 		if (nla_put_string(skb, NFTA_CHAIN_TYPE,
@@ -682,7 +686,7 @@ err:
 }
 
 static int
-nf_tables_chain_policy(struct nft_chain *chain, const struct nlattr *attr)
+nf_tables_chain_policy(struct nft_base_chain *chain, const struct nlattr *attr)
 {
 	switch (ntohl(nla_get_be32(attr))) {
 	case NF_DROP:
@@ -776,8 +780,10 @@ static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
 		if (nlh->nlmsg_flags & NLM_F_REPLACE)
 			return nf_tables_mvchain(skb, nlh, table, chain, nla);
 
-		if ((chain->flags & NFT_BASE_CHAIN) && nla[NFTA_CHAIN_POLICY]) {
-			return nf_tables_chain_policy(chain,
+		if (nla[NFTA_CHAIN_POLICY]) {
+			if (!(chain->flags & NFT_BASE_CHAIN))
+				return -EOPNOTSUPP;
+			return nf_tables_chain_policy(nft_base_chain(chain),
 						      nla[NFTA_CHAIN_POLICY]);
 		}
 		return 0;
@@ -830,23 +836,21 @@ static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
 		if (afi->hooks[ops->hooknum])
 			ops->hook = afi->hooks[ops->hooknum];
 
-		chain->policy = NF_ACCEPT;
 		chain->flags |= NFT_BASE_CHAIN;
 
 		if (nla[NFTA_CHAIN_POLICY]) {
-			err = nf_tables_chain_policy(chain,
+			err = nf_tables_chain_policy(basechain,
 						     nla[NFTA_CHAIN_POLICY]);
 			if (err < 0) {
 				kfree(basechain);
 				return err;
 			}
-		}
+		} else
+			basechain->policy = NF_ACCEPT;
 	} else {
 		chain = kzalloc(sizeof(*chain), GFP_KERNEL);
 		if (chain == NULL)
 			return -ENOMEM;
-
-		chain->policy = NF_ACCEPT;
 	}
 
 	INIT_LIST_HEAD(&chain->rules);
diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c
index 65e5385..a860769 100644
--- a/net/netfilter/nf_tables_core.c
+++ b/net/netfilter/nf_tables_core.c
@@ -136,7 +136,7 @@ next_rule:
 		goto next_rule;
 	}
 
-	return chain->policy;
+	return nft_base_chain(chain)->policy;
 }
 EXPORT_SYMBOL_GPL(nft_do_chain);
 
-- 
1.7.11.7

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

  parent reply	other threads:[~2012-12-12 18:47 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-12-12 18:47 [PATCH 00/11] netfilter: nf_tables: small cleanups and netlink fixes kaber
2012-12-12 18:47 ` [PATCH 01/11] netfilter: nf_tables: rename pid variables to portid kaber
2012-12-12 18:47 ` [PATCH 02/11] netfilter: nf_tables: revert commit 2a3c360f kaber
2012-12-12 18:47 ` [PATCH 03/11] netfilter: nf_tables: move hgenerator from chain to table kaber
2012-12-12 18:47 ` kaber [this message]
2012-12-12 18:47 ` [PATCH 05/11] netfilter: nf_tables: send notifications for base chain policy changes kaber
2012-12-12 18:47 ` [PATCH 06/11] netfilter: nf_tables: introduce chain handles and fix chain rename kaber
2012-12-12 18:47 ` [PATCH 07/11] netfilter: nf_tables: fix invalid event type in nf_tables_getrule() kaber
2012-12-12 18:47 ` [PATCH 08/11] netfilter: nf_tables: remove ability to specify handles for new rules kaber
2012-12-12 18:47 ` [PATCH 09/11] netfilter: nf_tables: return error for rule change request kaber
2012-12-12 18:47 ` [PATCH 10/11] netfilter: nf_tables: return error for NLM_F_REPLACE without rule handle kaber
2012-12-12 18:47 ` [PATCH 11/11] netfilter: nf_tables: include NLM_F_APPEND/NLM_F_REPLACE flags in rule notification kaber
2012-12-14  7:16 ` [PATCH 00/11] netfilter: nf_tables: small cleanups and netlink fixes Pablo Neira Ayuso

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1355338061-5517-5-git-send-email-kaber@trash.net \
    --to=kaber@trash.net \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).