* [PATCH 2/4] netfilter: nf_tables: nft_compat: private data of target and matches in contiguous area
2012-12-30 23:23 [PATCH 1/4] netfilter: nf_tables: rise maximum number of expressions from 12 to 128 pablo
@ 2012-12-30 23:23 ` pablo
2012-12-30 23:23 ` [PATCH 3/4] netfilter: nf_tables: validate hooks for compat match/target pablo
2012-12-30 23:23 ` [PATCH 4/4] netfilter: nf_tables: complete net namespace support pablo
2 siblings, 0 replies; 4+ messages in thread
From: pablo @ 2012-12-30 23:23 UTC (permalink / raw)
To: netfilter-devel; +Cc: kaber
From: Pablo Neira Ayuso <pablo@netfilter.org>
This patch reworks the compatibility infrastructure to place the private
match and target information in the contiguous area just after the nft_expr
header.
The compatibility infrastructure registers a native operation that
maps to one of the existing matches/targets. This allows no modification
in the layout of the nft_expr to include any new size field.
Original idea from Patrick McHardy.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/net/netfilter/nf_tables.h | 5 +-
net/netfilter/nf_tables_api.c | 11 +-
net/netfilter/nft_cmp.c | 3 +-
net/netfilter/nft_compat.c | 279 +++++++++++++++++++++----------------
net/netfilter/nft_payload.c | 3 +-
5 files changed, 172 insertions(+), 129 deletions(-)
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index e7dc1da..26d75e4 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -238,7 +238,8 @@ extern void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
* @maxattr: highest netlink attribute number
*/
struct nft_expr_type {
- const struct nft_expr_ops *(*select_ops)(const struct nlattr * const tb[]);
+ const struct nft_expr_ops *(*select_ops)(const struct nft_ctx *,
+ const struct nlattr * const tb[]);
const struct nft_expr_ops *ops;
struct list_head list;
const char *name;
@@ -256,6 +257,7 @@ struct nft_expr_type {
* @destroy: destruction function
* @dump: function to dump parameters
* @type: expression type
+ * @data: extra data to attach to this expression operation
*/
struct nft_expr;
struct nft_expr_ops {
@@ -272,6 +274,7 @@ struct nft_expr_ops {
const struct nft_expr *expr);
const struct nft_data * (*get_verdict)(const struct nft_expr *expr);
const struct nft_expr_type *type;
+ void *data;
};
#define NFT_EXPR_MAXATTR 16
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index a847375..67b4548 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1026,7 +1026,8 @@ struct nft_expr_info {
struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
};
-static int nf_tables_expr_parse(const struct nlattr *nla,
+static int nf_tables_expr_parse(const struct nft_ctx *ctx,
+ const struct nlattr *nla,
struct nft_expr_info *info)
{
const struct nft_expr_type *type;
@@ -1051,7 +1052,8 @@ static int nf_tables_expr_parse(const struct nlattr *nla,
memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
if (type->select_ops != NULL) {
- ops = type->select_ops((const struct nlattr * const *)info->tb);
+ ops = type->select_ops(ctx,
+ (const struct nlattr * const *)info->tb);
if (IS_ERR(ops)) {
err = PTR_ERR(ops);
goto err1;
@@ -1385,6 +1387,8 @@ static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
handle = nf_tables_alloc_handle(table);
}
+ nft_ctx_init(&ctx, skb, nlh, afi, table, chain);
+
n = 0;
size = 0;
if (nla[NFTA_RULE_EXPRESSIONS]) {
@@ -1394,7 +1398,7 @@ static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
goto err1;
if (n == NFT_RULE_MAXEXPRS)
goto err1;
- err = nf_tables_expr_parse(tmp, &info[n]);
+ err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
if (err < 0)
goto err1;
size += info[n].ops->size;
@@ -1410,7 +1414,6 @@ static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
rule->handle = handle;
rule->dlen = size;
- nft_ctx_init(&ctx, skb, nlh, afi, table, chain);
expr = nft_expr_first(rule);
for (i = 0; i < n; i++) {
err = nf_tables_newexpr(&ctx, &info[i], expr);
diff --git a/net/netfilter/nft_cmp.c b/net/netfilter/nft_cmp.c
index 37134f3..954925d 100644
--- a/net/netfilter/nft_cmp.c
+++ b/net/netfilter/nft_cmp.c
@@ -162,7 +162,8 @@ const struct nft_expr_ops nft_cmp_fast_ops = {
.dump = nft_cmp_fast_dump,
};
-static const struct nft_expr_ops *nft_cmp_select_ops(const struct nlattr * const tb[])
+static const struct nft_expr_ops *
+nft_cmp_select_ops(const struct nft_ctx *ctx, const struct nlattr * const tb[])
{
struct nft_data_desc desc;
struct nft_data data;
diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
index b4a3ad3..91f827b 100644
--- a/net/netfilter/nft_compat.c
+++ b/net/netfilter/nft_compat.c
@@ -66,34 +66,27 @@ nft_compat_set_par(struct xt_action_param *par, const struct nft_pktinfo *pkt,
par->fragoff = pkt->fragoff;
}
-struct nft_target {
- struct xt_target *target;
- __u32 family;
- __u32 info_len;
- void *info;
-};
-
static void nft_target_eval(const struct nft_expr *expr,
struct nft_data data[NFT_REG_MAX + 1],
const struct nft_pktinfo *pkt)
{
- const struct nft_target *priv = nft_expr_priv(expr);
+ void *info = nft_expr_priv(expr);
+ struct xt_target *target = expr->ops->data;
struct sk_buff *skb = pkt->skb;
struct xt_action_param par;
int ret;
if (!pkt->compat_set) {
if (nft_compat_set_pktinfo((struct nft_pktinfo *)pkt,
- priv->family) < 0) {
+ target->family) < 0) {
data[NFT_REG_VERDICT].verdict = NF_DROP;
return;
}
}
- nft_compat_set_par(&par, pkt, priv->target, priv->info,
- priv->family);
+ nft_compat_set_par(&par, pkt, target, info, target->family);
- ret = priv->target->target(skb, &par);
+ ret = target->target(skb, &par);
if (par.hotdrop)
ret = NF_DROP;
@@ -117,13 +110,14 @@ static const struct nla_policy nft_target_policy[NFTA_TARGET_MAX + 1] = {
static void
nft_target_set_tgchk_param(struct xt_tgchk_param *par,
- const struct nft_ctx *ctx, struct nft_target *priv)
+ const struct nft_ctx *ctx,
+ struct xt_target *target, void *info)
{
par->net = &init_net;
par->table = ctx->table->name;
par->entryinfo = NULL; /* FIXME */
- par->target = priv->target;
- par->targinfo = priv->info;
+ par->target = target;
+ par->targinfo = info;
par->hook_mask = 0; /* FIXME */
par->family = ctx->afi->family;
}
@@ -132,71 +126,50 @@ static int
nft_target_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
const struct nlattr * const tb[])
{
- struct nft_target *priv = nft_expr_priv(expr);
+ void *info = nft_expr_priv(expr);
+ struct xt_target *target = expr->ops->data;
struct xt_tgchk_param par;
- const char *tg_name;
- __u32 rev;
+ size_t size = XT_ALIGN(nla_len(tb[NFTA_TARGET_INFO]));
int ret;
- if (tb[NFTA_TARGET_NAME] == NULL ||
- tb[NFTA_TARGET_REV] == NULL ||
- tb[NFTA_TARGET_INFO] == NULL)
- return -EINVAL;
-
- tg_name = nla_data(tb[NFTA_TARGET_NAME]);
- rev = ntohl(nla_get_be32(tb[NFTA_TARGET_REV]));
- priv->family = ctx->afi->family;
-
- priv->target = xt_request_find_target(priv->family, tg_name, rev);
- if (IS_ERR(priv->target))
- return PTR_ERR(priv->target);
-
- priv->info_len = nla_len(tb[NFTA_TARGET_INFO]);
- if (priv->info_len == 0)
- return -EINVAL;
-
- priv->info = kzalloc(priv->info_len, GFP_ATOMIC);
- if (priv->info == NULL)
- return -ENOMEM;
+ memcpy(info, nla_data(tb[NFTA_TARGET_INFO]),
+ XT_ALIGN(target->targetsize));
- memcpy(priv->info, nla_data(tb[NFTA_TARGET_INFO]), priv->info_len);
-
- nft_target_set_tgchk_param(&par, ctx, priv);
+ nft_target_set_tgchk_param(&par, ctx, target, info);
/* FIXME: not checking protocol and inversion */
- ret = xt_check_target(&par, priv->info_len, 0, false);
+ ret = xt_check_target(&par, size, 0, false);
if (ret < 0)
goto err;
/* The standard target cannot be used */
- if (priv->target->target == NULL) {
+ if (target->target == NULL) {
ret = -EINVAL;
goto err;
}
return 0;
err:
- kfree(priv->info);
- module_put(priv->target->me);
+ module_put(target->me);
return ret;
}
static void
nft_target_destroy(const struct nft_expr *expr)
{
- struct nft_target *priv = nft_expr_priv(expr);
+ struct xt_target *target = expr->ops->data;
- module_put(priv->target->me);
- kfree(priv->info);
+ module_put(target->me);
}
static int nft_target_dump(struct sk_buff *skb, const struct nft_expr *expr)
{
- const struct nft_target *priv = nft_expr_priv(expr);
+ const struct xt_target *target = expr->ops->data;
+ void *info = nft_expr_priv(expr);
- if (nla_put_string(skb, NFTA_TARGET_NAME, priv->target->name) ||
- nla_put_be32(skb, NFTA_TARGET_REV, htonl(priv->target->revision)) ||
- nla_put(skb, NFTA_TARGET_INFO, priv->info_len, priv->info))
+ if (nla_put_string(skb, NFTA_TARGET_NAME, target->name) ||
+ nla_put_be32(skb, NFTA_TARGET_REV, htonl(target->revision)) ||
+ nla_put(skb, NFTA_TARGET_INFO, XT_ALIGN(target->targetsize), info))
goto nla_put_failure;
return 0;
@@ -205,34 +178,27 @@ nla_put_failure:
return -1;
}
-struct nft_match {
- struct xt_match *match;
- __u32 family;
- __u32 info_len;
- void *info;
-};
-
static void nft_match_eval(const struct nft_expr *expr,
struct nft_data data[NFT_REG_MAX + 1],
const struct nft_pktinfo *pkt)
{
- const struct nft_match *priv = nft_expr_priv(expr);
+ void *info = nft_expr_priv(expr);
+ struct xt_match *match = expr->ops->data;
struct sk_buff *skb = pkt->skb;
struct xt_action_param par;
bool ret;
if (!pkt->compat_set) {
if (nft_compat_set_pktinfo((struct nft_pktinfo *)pkt,
- priv->family) < 0) {
+ match->family) < 0) {
data[NFT_REG_VERDICT].verdict = NF_DROP;
return;
}
}
- nft_compat_set_par(&par, pkt, priv->match, priv->info,
- priv->family);
+ nft_compat_set_par(&par, pkt, match, info, match->family);
- ret = priv->match->match(skb, &par);
+ ret = match->match(skb, &par);
if (par.hotdrop) {
data[NFT_REG_VERDICT].verdict = NF_DROP;
@@ -257,14 +223,14 @@ static const struct nla_policy nft_match_policy[NFTA_MATCH_MAX + 1] = {
/* struct xt_mtchk_param and xt_tgchk_param look very similar */
static void
-nft_match_set_mtchk_param(struct xt_mtchk_param *par,
- const struct nft_ctx *ctx, struct nft_match *priv)
+nft_match_set_mtchk_param(struct xt_mtchk_param *par, const struct nft_ctx *ctx,
+ struct xt_match *match, void *info)
{
par->net = &init_net;
par->table = ctx->table->name;
par->entryinfo = NULL; /* FIXME */
- par->match = priv->match;
- par->matchinfo = priv->info;
+ par->match = match;
+ par->matchinfo = info;
par->hook_mask = 0; /* FIXME */
par->family = ctx->afi->family;
}
@@ -273,65 +239,43 @@ static int
nft_match_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
const struct nlattr * const tb[])
{
- struct nft_match *priv = nft_expr_priv(expr);
+ void *info = nft_expr_priv(expr);
+ struct xt_match *match = expr->ops->data;
struct xt_mtchk_param par;
- const char *mt_name;
- __u32 rev;
+ size_t size = XT_ALIGN(nla_len(tb[NFTA_MATCH_INFO]));
int ret;
- if (tb[NFTA_MATCH_NAME] == NULL ||
- tb[NFTA_MATCH_REV] == NULL ||
- tb[NFTA_MATCH_INFO] == NULL)
- return -EINVAL;
-
- mt_name = nla_data(tb[NFTA_MATCH_NAME]);
- rev = ntohl(nla_get_be32(tb[NFTA_MATCH_REV]));
- priv->family = ctx->afi->family;
-
- priv->match = xt_request_find_match(priv->family, mt_name, rev);
- if (IS_ERR(priv->match))
- return PTR_ERR(priv->match);
-
- priv->info_len = nla_len(tb[NFTA_MATCH_INFO]);
- if (priv->info_len == 0)
- return -EINVAL;
-
- priv->info = kzalloc(priv->info_len, GFP_ATOMIC);
- if (priv->info == NULL)
- return -ENOMEM;
-
- memcpy(priv->info, nla_data(tb[NFTA_MATCH_INFO]), priv->info_len);
+ memcpy(info, nla_data(tb[NFTA_MATCH_INFO]), XT_ALIGN(match->matchsize));
- nft_match_set_mtchk_param(&par, ctx, priv);
+ nft_match_set_mtchk_param(&par, ctx, match, info);
/* FIXME: not checking protocol and inversion, do this in userspace */
- ret = xt_check_match(&par, priv->info_len, 0, false);
+ ret = xt_check_match(&par, size, 0, false);
if (ret < 0)
goto err;
return 0;
err:
- kfree(priv->info);
- module_put(priv->match->me);
+ module_put(match->me);
return ret;
}
static void
nft_match_destroy(const struct nft_expr *expr)
{
- struct nft_match *priv = nft_expr_priv(expr);
+ struct xt_match *match = expr->ops->data;
- module_put(priv->match->me);
- kfree(priv->info);
+ module_put(match->me);
}
static int nft_match_dump(struct sk_buff *skb, const struct nft_expr *expr)
{
- const struct nft_match *priv = nft_expr_priv(expr);
+ void *info = nft_expr_priv(expr);
+ struct xt_match *match = expr->ops->data;
- if (nla_put_string(skb, NFTA_MATCH_NAME, priv->match->name) ||
- nla_put_be32(skb, NFTA_MATCH_REV, htonl(priv->match->revision)) ||
- nla_put(skb, NFTA_MATCH_INFO, priv->info_len, priv->info))
+ if (nla_put_string(skb, NFTA_MATCH_NAME, match->name) ||
+ nla_put_be32(skb, NFTA_MATCH_REV, htonl(match->revision)) ||
+ nla_put(skb, NFTA_MATCH_INFO, XT_ALIGN(match->matchsize), info))
goto nla_put_failure;
return 0;
@@ -458,37 +402,128 @@ static const struct nfnetlink_subsystem nfnl_compat_subsys = {
.cb = nfnl_nft_compat_cb,
};
-static struct nft_expr_type nft_match_type;
-static const struct nft_expr_ops nft_match_ops = {
- .type = &nft_match_type,
- .size = NFT_EXPR_SIZE(sizeof(struct nft_match)),
- .eval = nft_match_eval,
- .init = nft_match_init,
- .destroy = nft_match_destroy,
- .dump = nft_match_dump,
+static LIST_HEAD(nft_match_list);
+
+struct nft_xt {
+ struct list_head head;
+ struct nft_expr_ops ops;
};
+static struct nft_expr_type nft_match_type;
+
+static const struct nft_expr_ops *
+nft_match_select_ops(const struct nft_ctx *ctx,
+ const struct nlattr * const tb[])
+{
+ struct nft_xt *nft_match;
+ struct xt_match *match;
+ char *mt_name;
+ __u32 rev, family;
+
+ if (tb[NFTA_MATCH_NAME] == NULL ||
+ tb[NFTA_MATCH_REV] == NULL ||
+ tb[NFTA_MATCH_INFO] == NULL)
+ return ERR_PTR(-EINVAL);
+
+ mt_name = nla_data(tb[NFTA_MATCH_NAME]);
+ rev = ntohl(nla_get_be32(tb[NFTA_MATCH_REV]));
+ family = ctx->afi->family;
+
+ /* Re-use the existing match if it's already loaded. */
+ list_for_each_entry(nft_match, &nft_match_list, head) {
+ struct xt_match *match = nft_match->ops.data;
+
+ if (strcmp(match->name, mt_name) == 0 &&
+ match->revision == rev && match->family == family)
+ return &nft_match->ops;
+ }
+
+ match = xt_request_find_match(family, mt_name, rev);
+ if (IS_ERR(match))
+ return ERR_PTR(-ENOENT);
+
+ /* This is the first time we use this match, allocate operations */
+ nft_match = kzalloc(sizeof(struct nft_xt), GFP_KERNEL);
+ if (nft_match == NULL)
+ return ERR_PTR(-ENOMEM);
+
+ nft_match->ops.type = &nft_match_type;
+ nft_match->ops.size = NFT_EXPR_SIZE(XT_ALIGN(match->matchsize));
+ nft_match->ops.eval = nft_match_eval;
+ nft_match->ops.init = nft_match_init;
+ nft_match->ops.destroy = nft_match_destroy;
+ nft_match->ops.dump = nft_match_dump;
+ nft_match->ops.data = match;
+
+ list_add(&nft_match->head, &nft_match_list);
+
+ return &nft_match->ops;
+}
+
static struct nft_expr_type nft_match_type __read_mostly = {
.name = "match",
- .ops = &nft_match_ops,
+ .select_ops = nft_match_select_ops,
.policy = nft_match_policy,
.maxattr = NFTA_MATCH_MAX,
.owner = THIS_MODULE,
};
+static LIST_HEAD(nft_target_list);
+
static struct nft_expr_type nft_target_type;
-static const struct nft_expr_ops nft_target_ops = {
- .type = &nft_target_type,
- .size = NFT_EXPR_SIZE(sizeof(struct nft_target)),
- .eval = nft_target_eval,
- .init = nft_target_init,
- .destroy = nft_target_destroy,
- .dump = nft_target_dump,
-};
+
+static const struct nft_expr_ops *
+nft_target_select_ops(const struct nft_ctx *ctx,
+ const struct nlattr * const tb[])
+{
+ struct nft_xt *nft_target;
+ struct xt_target *target;
+ char *tg_name;
+ __u32 rev, family;
+
+ if (tb[NFTA_TARGET_NAME] == NULL ||
+ tb[NFTA_TARGET_REV] == NULL ||
+ tb[NFTA_TARGET_INFO] == NULL)
+ return ERR_PTR(-EINVAL);
+
+ tg_name = nla_data(tb[NFTA_TARGET_NAME]);
+ rev = ntohl(nla_get_be32(tb[NFTA_TARGET_REV]));
+ family = ctx->afi->family;
+
+ /* Re-use the existing target if it's already loaded. */
+ list_for_each_entry(nft_target, &nft_match_list, head) {
+ struct xt_target *target = nft_target->ops.data;
+
+ if (strcmp(target->name, tg_name) == 0 &&
+ target->revision == rev && target->family == family)
+ return &nft_target->ops;
+ }
+
+ target = xt_request_find_target(family, tg_name, rev);
+ if (IS_ERR(target))
+ return ERR_PTR(-ENOENT);
+
+ /* This is the first time we use this target, allocate operations */
+ nft_target = kzalloc(sizeof(struct nft_xt), GFP_KERNEL);
+ if (nft_target == NULL)
+ return ERR_PTR(-ENOMEM);
+
+ nft_target->ops.type = &nft_target_type;
+ nft_target->ops.size = NFT_EXPR_SIZE(XT_ALIGN(target->targetsize));
+ nft_target->ops.eval = nft_target_eval;
+ nft_target->ops.init = nft_target_init;
+ nft_target->ops.destroy = nft_target_destroy;
+ nft_target->ops.dump = nft_target_dump;
+ nft_target->ops.data = target;
+
+ list_add(&nft_target->head, &nft_target_list);
+
+ return &nft_target->ops;
+}
static struct nft_expr_type nft_target_type __read_mostly = {
.name = "target",
- .ops = &nft_target_ops,
+ .select_ops = nft_target_select_ops,
.policy = nft_target_policy,
.maxattr = NFTA_TARGET_MAX,
.owner = THIS_MODULE,
diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c
index 6c81078..028e4d8 100644
--- a/net/netfilter/nft_payload.c
+++ b/net/netfilter/nft_payload.c
@@ -107,7 +107,8 @@ const struct nft_expr_ops nft_payload_fast_ops = {
};
static const struct nft_expr_ops *
-nft_payload_select_ops(const struct nlattr * const tb[])
+nft_payload_select_ops(const struct nft_ctx *ctx,
+ const struct nlattr * const tb[])
{
enum nft_payload_bases base;
unsigned int offset, len;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 4+ messages in thread* [PATCH 3/4] netfilter: nf_tables: validate hooks for compat match/target
2012-12-30 23:23 [PATCH 1/4] netfilter: nf_tables: rise maximum number of expressions from 12 to 128 pablo
2012-12-30 23:23 ` [PATCH 2/4] netfilter: nf_tables: nft_compat: private data of target and matches in contiguous area pablo
@ 2012-12-30 23:23 ` pablo
2012-12-30 23:23 ` [PATCH 4/4] netfilter: nf_tables: complete net namespace support pablo
2 siblings, 0 replies; 4+ messages in thread
From: pablo @ 2012-12-30 23:23 UTC (permalink / raw)
To: netfilter-devel; +Cc: kaber
From: Pablo Neira Ayuso <pablo@netfilter.org>
This patch validates that matches/targets are called from the
appropriate hook. This uses the existing loop detection approach
for the case they are not used in base chains. Basically, it
renames the expr->ops->get_verdict callback and generalize it
to expr->ops->validate.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/net/netfilter/nf_tables.h | 5 ++-
net/netfilter/nf_tables_api.c | 14 ++++++---
net/netfilter/nft_compat.c | 62 +++++++++++++++++++++++++++++++++++--
net/netfilter/nft_immediate.c | 12 ++++---
4 files changed, 80 insertions(+), 13 deletions(-)
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 26d75e4..7f994a2 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -257,6 +257,7 @@ struct nft_expr_type {
* @destroy: destruction function
* @dump: function to dump parameters
* @type: expression type
+ * @validate: validate expression, called during loop detection
* @data: extra data to attach to this expression operation
*/
struct nft_expr;
@@ -272,7 +273,9 @@ struct nft_expr_ops {
void (*destroy)(const struct nft_expr *expr);
int (*dump)(struct sk_buff *skb,
const struct nft_expr *expr);
- const struct nft_data * (*get_verdict)(const struct nft_expr *expr);
+ int (*validate)(const struct nft_ctx *ctx,
+ const struct nft_expr *expr,
+ const struct nft_data **data);
const struct nft_expr_type *type;
void *data;
};
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 67b4548..0e27d2e 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -2492,23 +2492,27 @@ static int nf_tables_check_loops(const struct nft_ctx *ctx,
{
const struct nft_rule *rule;
const struct nft_expr *expr, *last;
- const struct nft_data *data;
const struct nft_set *set;
struct nft_set_binding *binding;
struct nft_set_iter iter;
- int err;
if (ctx->chain == chain)
return -ELOOP;
list_for_each_entry(rule, &chain->rules, list) {
nft_rule_for_each_expr(expr, last, rule) {
- if (!expr->ops->get_verdict)
+ const struct nft_data *data = NULL;
+ int err;
+
+ if (!expr->ops->validate)
continue;
- data = expr->ops->get_verdict(expr);
+ err = expr->ops->validate(ctx, expr, &data);
+ if (err < 0)
+ return err;
+
if (data == NULL)
- break;
+ continue;
switch (data->verdict) {
case NFT_JUMP:
diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
index 91f827b..328abf1 100644
--- a/net/netfilter/nft_compat.c
+++ b/net/netfilter/nft_compat.c
@@ -118,7 +118,13 @@ nft_target_set_tgchk_param(struct xt_tgchk_param *par,
par->entryinfo = NULL; /* FIXME */
par->target = target;
par->targinfo = info;
- par->hook_mask = 0; /* FIXME */
+ if (ctx->chain->flags & NFT_BASE_CHAIN) {
+ const struct nft_base_chain *basechain =
+ nft_base_chain(ctx->chain);
+ const struct nf_hook_ops *ops = &basechain->ops;
+
+ par->hook_mask = 1 << ops->hooknum;
+ }
par->family = ctx->afi->family;
}
@@ -178,6 +184,28 @@ nla_put_failure:
return -1;
}
+static int nft_target_validate(const struct nft_ctx *ctx,
+ const struct nft_expr *expr,
+ const struct nft_data **data)
+{
+ struct xt_target *target = expr->ops->data;
+ unsigned int hook_mask = 0;
+
+ if (ctx->chain->flags & NFT_BASE_CHAIN) {
+ const struct nft_base_chain *basechain =
+ nft_base_chain(ctx->chain);
+ const struct nf_hook_ops *ops = &basechain->ops;
+
+ hook_mask = 1 << ops->hooknum;
+ if (hook_mask & target->hooks)
+ return 0;
+
+ /* This target is being called from an invalid chain */
+ return -EINVAL;
+ }
+ return 0;
+}
+
static void nft_match_eval(const struct nft_expr *expr,
struct nft_data data[NFT_REG_MAX + 1],
const struct nft_pktinfo *pkt)
@@ -231,7 +259,13 @@ nft_match_set_mtchk_param(struct xt_mtchk_param *par, const struct nft_ctx *ctx,
par->entryinfo = NULL; /* FIXME */
par->match = match;
par->matchinfo = info;
- par->hook_mask = 0; /* FIXME */
+ if (ctx->chain->flags & NFT_BASE_CHAIN) {
+ const struct nft_base_chain *basechain =
+ nft_base_chain(ctx->chain);
+ const struct nf_hook_ops *ops = &basechain->ops;
+
+ par->hook_mask = 1 << ops->hooknum;
+ }
par->family = ctx->afi->family;
}
@@ -284,6 +318,28 @@ nla_put_failure:
return -1;
}
+static int nft_match_validate(const struct nft_ctx *ctx,
+ const struct nft_expr *expr,
+ const struct nft_data **data)
+{
+ struct xt_match *match = expr->ops->data;
+ unsigned int hook_mask = 0;
+
+ if (ctx->chain->flags & NFT_BASE_CHAIN) {
+ const struct nft_base_chain *basechain =
+ nft_base_chain(ctx->chain);
+ const struct nf_hook_ops *ops = &basechain->ops;
+
+ hook_mask = 1 << ops->hooknum;
+ if (hook_mask & match->hooks)
+ return 0;
+
+ /* This match is being called from an invalid chain */
+ return -EINVAL;
+ }
+ return 0;
+}
+
static int
nfnl_compat_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
int event, u16 family, const char *name,
@@ -453,6 +509,7 @@ nft_match_select_ops(const struct nft_ctx *ctx,
nft_match->ops.init = nft_match_init;
nft_match->ops.destroy = nft_match_destroy;
nft_match->ops.dump = nft_match_dump;
+ nft_match->ops.validate = nft_match_validate;
nft_match->ops.data = match;
list_add(&nft_match->head, &nft_match_list);
@@ -514,6 +571,7 @@ nft_target_select_ops(const struct nft_ctx *ctx,
nft_target->ops.init = nft_target_init;
nft_target->ops.destroy = nft_target_destroy;
nft_target->ops.dump = nft_target_dump;
+ nft_target->ops.validate = nft_target_validate;
nft_target->ops.data = target;
list_add(&nft_target->head, &nft_target_list);
diff --git a/net/netfilter/nft_immediate.c b/net/netfilter/nft_immediate.c
index 1bfeeaf..f169501 100644
--- a/net/netfilter/nft_immediate.c
+++ b/net/netfilter/nft_immediate.c
@@ -90,14 +90,16 @@ nla_put_failure:
return -1;
}
-static const struct nft_data *nft_immediate_get_verdict(const struct nft_expr *expr)
+static int nft_immediate_validate(const struct nft_ctx *ctx,
+ const struct nft_expr *expr,
+ const struct nft_data **data)
{
const struct nft_immediate_expr *priv = nft_expr_priv(expr);
if (priv->dreg == NFT_REG_VERDICT)
- return &priv->data;
- else
- return NULL;
+ *data = &priv->data;
+
+ return 0;
}
static struct nft_expr_type nft_imm_type;
@@ -108,7 +110,7 @@ static const struct nft_expr_ops nft_imm_ops = {
.init = nft_immediate_init,
.destroy = nft_immediate_destroy,
.dump = nft_immediate_dump,
- .get_verdict = nft_immediate_get_verdict,
+ .validate = nft_immediate_validate,
};
static struct nft_expr_type nft_imm_type __read_mostly = {
--
1.7.10.4
^ permalink raw reply related [flat|nested] 4+ messages in thread* [PATCH 4/4] netfilter: nf_tables: complete net namespace support
2012-12-30 23:23 [PATCH 1/4] netfilter: nf_tables: rise maximum number of expressions from 12 to 128 pablo
2012-12-30 23:23 ` [PATCH 2/4] netfilter: nf_tables: nft_compat: private data of target and matches in contiguous area pablo
2012-12-30 23:23 ` [PATCH 3/4] netfilter: nf_tables: validate hooks for compat match/target pablo
@ 2012-12-30 23:23 ` pablo
2 siblings, 0 replies; 4+ messages in thread
From: pablo @ 2012-12-30 23:23 UTC (permalink / raw)
To: netfilter-devel; +Cc: kaber
From: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/net/net_namespace.h | 4 ++
include/net/netfilter/nf_tables.h | 4 +-
include/net/netns/nftables.h | 14 ++++++
net/bridge/netfilter/nf_tables_bridge.c | 32 +++++++++++-
net/ipv4/netfilter/nf_tables_ipv4.c | 33 +++++++++++-
net/ipv6/netfilter/nf_tables_ipv6.c | 32 +++++++++++-
net/netfilter/nf_tables_api.c | 84 ++++++++++++++++++++-----------
7 files changed, 167 insertions(+), 36 deletions(-)
create mode 100644 include/net/netns/nftables.h
diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h
index d61e2b3..4a6a0d1 100644
--- a/include/net/net_namespace.h
+++ b/include/net/net_namespace.h
@@ -21,6 +21,7 @@
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
#include <net/netns/conntrack.h>
#endif
+#include <net/netns/nftables.h>
#include <net/netns/xfrm.h>
struct proc_dir_entry;
@@ -93,6 +94,9 @@ struct net {
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
struct netns_ct ct;
#endif
+#if defined(CONFIG_NF_TABLES) || defined(CONFIG_NF_TABLES_MODULE)
+ struct netns_nftables nft;
+#endif
#if IS_ENABLED(CONFIG_NF_DEFRAG_IPV6)
struct netns_nf_frag nf_frag;
#endif
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 7f994a2..5d9d43f 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -55,6 +55,7 @@ static inline void nft_data_debug(const struct nft_data *data)
/**
* struct nft_ctx - nf_tables rule/set context
*
+ * @net: net namespace
* @skb: netlink skb
* @nlh: netlink message header
* @afi: address family info
@@ -62,6 +63,7 @@ static inline void nft_data_debug(const struct nft_data *data)
* @chain: the chain the rule is contained in
*/
struct nft_ctx {
+ struct net *net;
const struct sk_buff *skb;
const struct nlmsghdr *nlh;
const struct nft_af_info *afi;
@@ -439,7 +441,7 @@ struct nft_af_info {
nf_hookfn *hooks[NF_MAX_HOOKS];
};
-extern int nft_register_afinfo(struct nft_af_info *);
+extern int nft_register_afinfo(struct net *, struct nft_af_info *);
extern void nft_unregister_afinfo(struct nft_af_info *);
struct nf_chain_type {
diff --git a/include/net/netns/nftables.h b/include/net/netns/nftables.h
new file mode 100644
index 0000000..255757c
--- /dev/null
+++ b/include/net/netns/nftables.h
@@ -0,0 +1,14 @@
+#ifndef _NETNS_NFTABLES_H_
+#define _NETNS_NFTABLES_H_
+
+#include <linux/list.h>
+#include <net/netfilter/nf_tables.h>
+
+struct netns_nftables {
+ struct list_head af_info;
+ struct nft_af_info *ipv4;
+ struct nft_af_info *ipv6;
+ struct nft_af_info *bridge;
+};
+
+#endif
diff --git a/net/bridge/netfilter/nf_tables_bridge.c b/net/bridge/netfilter/nf_tables_bridge.c
index bc5c21c..e8cb016 100644
--- a/net/bridge/netfilter/nf_tables_bridge.c
+++ b/net/bridge/netfilter/nf_tables_bridge.c
@@ -19,14 +19,42 @@ static struct nft_af_info nft_af_bridge __read_mostly = {
.owner = THIS_MODULE,
};
+static int nf_tables_bridge_init_net(struct net *net)
+{
+ net->nft.bridge = kmalloc(sizeof(struct nft_af_info), GFP_KERNEL);
+ if (net->nft.bridge == NULL)
+ return -ENOMEM;
+
+ memcpy(net->nft.bridge, &nft_af_bridge, sizeof(nft_af_bridge));
+
+ if (nft_register_afinfo(net, net->nft.bridge) < 0)
+ goto err;
+
+ return 0;
+err:
+ kfree(net->nft.bridge);
+ return -ENOMEM;
+}
+
+static void nf_tables_bridge_exit_net(struct net *net)
+{
+ nft_unregister_afinfo(net->nft.bridge);
+ kfree(net->nft.bridge);
+}
+
+static struct pernet_operations nf_tables_bridge_net_ops = {
+ .init = nf_tables_bridge_init_net,
+ .exit = nf_tables_bridge_exit_net,
+};
+
static int __init nf_tables_bridge_init(void)
{
- return nft_register_afinfo(&nft_af_bridge);
+ return register_pernet_subsys(&nf_tables_bridge_net_ops);
}
static void __exit nf_tables_bridge_exit(void)
{
- nft_unregister_afinfo(&nft_af_bridge);
+ return unregister_pernet_subsys(&nf_tables_bridge_net_ops);
}
module_init(nf_tables_bridge_init);
diff --git a/net/ipv4/netfilter/nf_tables_ipv4.c b/net/ipv4/netfilter/nf_tables_ipv4.c
index 63d0a3b..8827539 100644
--- a/net/ipv4/netfilter/nf_tables_ipv4.c
+++ b/net/ipv4/netfilter/nf_tables_ipv4.c
@@ -13,6 +13,7 @@
#include <linux/ip.h>
#include <linux/netfilter_ipv4.h>
#include <net/netfilter/nf_tables.h>
+#include <net/net_namespace.h>
#include <net/ip.h>
static unsigned int nft_ipv4_output(const struct nf_hook_ops *ops,
@@ -41,14 +42,42 @@ static struct nft_af_info nft_af_ipv4 __read_mostly = {
},
};
+static int nf_tables_ipv4_init_net(struct net *net)
+{
+ net->nft.ipv4 = kmalloc(sizeof(struct nft_af_info), GFP_KERNEL);
+ if (net->nft.ipv4 == NULL)
+ return -ENOMEM;
+
+ memcpy(net->nft.ipv4, &nft_af_ipv4, sizeof(nft_af_ipv4));
+
+ if (nft_register_afinfo(net, net->nft.ipv4) < 0)
+ goto err;
+
+ return 0;
+err:
+ kfree(net->nft.ipv4);
+ return -ENOMEM;
+}
+
+static void nf_tables_ipv4_exit_net(struct net *net)
+{
+ nft_unregister_afinfo(net->nft.ipv4);
+ kfree(net->nft.ipv4);
+}
+
+static struct pernet_operations nf_tables_ipv4_net_ops = {
+ .init = nf_tables_ipv4_init_net,
+ .exit = nf_tables_ipv4_exit_net,
+};
+
static int __init nf_tables_ipv4_init(void)
{
- return nft_register_afinfo(&nft_af_ipv4);
+ return register_pernet_subsys(&nf_tables_ipv4_net_ops);
}
static void __exit nf_tables_ipv4_exit(void)
{
- nft_unregister_afinfo(&nft_af_ipv4);
+ return unregister_pernet_subsys(&nf_tables_ipv4_net_ops);
}
module_init(nf_tables_ipv4_init);
diff --git a/net/ipv6/netfilter/nf_tables_ipv6.c b/net/ipv6/netfilter/nf_tables_ipv6.c
index e0717ce..ff68524 100644
--- a/net/ipv6/netfilter/nf_tables_ipv6.c
+++ b/net/ipv6/netfilter/nf_tables_ipv6.c
@@ -39,14 +39,42 @@ static struct nft_af_info nft_af_ipv6 __read_mostly = {
},
};
+static int nf_tables_ipv6_init_net(struct net *net)
+{
+ net->nft.ipv6 = kmalloc(sizeof(struct nft_af_info), GFP_KERNEL);
+ if (net->nft.ipv6 == NULL)
+ return -ENOMEM;
+
+ memcpy(net->nft.ipv6, &nft_af_ipv6, sizeof(nft_af_ipv6));
+
+ if (nft_register_afinfo(net, net->nft.ipv6) < 0)
+ goto err;
+
+ return 0;
+err:
+ kfree(net->nft.ipv6);
+ return -ENOMEM;
+}
+
+static void nf_tables_ipv6_exit_net(struct net *net)
+{
+ nft_unregister_afinfo(net->nft.ipv6);
+ kfree(net->nft.ipv6);
+}
+
+static struct pernet_operations nf_tables_ipv6_net_ops = {
+ .init = nf_tables_ipv6_init_net,
+ .exit = nf_tables_ipv6_exit_net,
+};
+
static int __init nf_tables_ipv6_init(void)
{
- return nft_register_afinfo(&nft_af_ipv6);
+ return register_pernet_subsys(&nf_tables_ipv6_net_ops);
}
static void __exit nf_tables_ipv6_exit(void)
{
- nft_unregister_afinfo(&nft_af_ipv6);
+ return unregister_pernet_subsys(&nf_tables_ipv6_net_ops);
}
module_init(nf_tables_ipv6_init);
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 0e27d2e..d0dab16 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -18,9 +18,9 @@
#include <linux/netfilter/nf_tables.h>
#include <net/netfilter/nf_tables_core.h>
#include <net/netfilter/nf_tables.h>
+#include <net/net_namespace.h>
#include <net/sock.h>
-static LIST_HEAD(nf_tables_afinfo);
static LIST_HEAD(nf_tables_expressions);
/**
@@ -31,11 +31,11 @@ static LIST_HEAD(nf_tables_expressions);
* Register the address family for use with nf_tables. Returns zero on
* success or a negative errno code otherwise.
*/
-int nft_register_afinfo(struct nft_af_info *afi)
+int nft_register_afinfo(struct net *net, struct nft_af_info *afi)
{
INIT_LIST_HEAD(&afi->tables);
nfnl_lock();
- list_add_tail(&afi->list, &nf_tables_afinfo);
+ list_add_tail(&afi->list, &net->nft.af_info);
nfnl_unlock();
return 0;
}
@@ -56,22 +56,23 @@ void nft_unregister_afinfo(struct nft_af_info *afi)
}
EXPORT_SYMBOL_GPL(nft_unregister_afinfo);
-static struct nft_af_info *nft_afinfo_lookup(int family)
+static struct nft_af_info *nft_afinfo_lookup(struct net *net, int family)
{
struct nft_af_info *afi;
- list_for_each_entry(afi, &nf_tables_afinfo, list) {
+ list_for_each_entry(afi, &net->nft.af_info, list) {
if (afi->family == family)
return afi;
}
return NULL;
}
-static struct nft_af_info *nf_tables_afinfo_lookup(int family, bool autoload)
+static struct nft_af_info *
+nf_tables_afinfo_lookup(struct net *net, int family, bool autoload)
{
struct nft_af_info *afi;
- afi = nft_afinfo_lookup(family);
+ afi = nft_afinfo_lookup(net, family);
if (afi != NULL)
return afi;
#ifdef CONFIG_MODULES
@@ -79,7 +80,7 @@ static struct nft_af_info *nf_tables_afinfo_lookup(int family, bool autoload)
nfnl_unlock();
request_module("nft-afinfo-%u", family);
nfnl_lock();
- afi = nft_afinfo_lookup(family);
+ afi = nft_afinfo_lookup(net, family);
if (afi != NULL)
return ERR_PTR(-EAGAIN);
}
@@ -232,9 +233,10 @@ static int nf_tables_dump_tables(struct sk_buff *skb,
const struct nft_af_info *afi;
const struct nft_table *table;
unsigned int idx = 0, s_idx = cb->args[0];
+ struct net *net = sock_net(skb->sk);
int family = nfmsg->nfgen_family;
- list_for_each_entry(afi, &nf_tables_afinfo, list) {
+ list_for_each_entry(afi, &net->nft.af_info, list) {
if (family != NFPROTO_UNSPEC && family != afi->family)
continue;
@@ -268,6 +270,7 @@ static int nf_tables_gettable(struct sock *nlsk, struct sk_buff *skb,
const struct nft_af_info *afi;
const struct nft_table *table;
struct sk_buff *skb2;
+ struct net *net = sock_net(skb->sk);
int family = nfmsg->nfgen_family;
int err;
@@ -278,7 +281,7 @@ static int nf_tables_gettable(struct sock *nlsk, struct sk_buff *skb,
return netlink_dump_start(nlsk, skb, nlh, &c);
}
- afi = nf_tables_afinfo_lookup(family, false);
+ afi = nf_tables_afinfo_lookup(net, family, false);
if (IS_ERR(afi))
return PTR_ERR(afi);
@@ -379,9 +382,10 @@ static int nf_tables_newtable(struct sock *nlsk, struct sk_buff *skb,
const struct nlattr *name;
struct nft_af_info *afi;
struct nft_table *table;
+ struct net *net = sock_net(skb->sk);
int family = nfmsg->nfgen_family;
- afi = nf_tables_afinfo_lookup(family, true);
+ afi = nf_tables_afinfo_lookup(net, family, true);
if (IS_ERR(afi))
return PTR_ERR(afi);
@@ -431,9 +435,10 @@ static int nf_tables_deltable(struct sock *nlsk, struct sk_buff *skb,
const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
struct nft_af_info *afi;
struct nft_table *table;
+ struct net *net = sock_net(skb->sk);
int family = nfmsg->nfgen_family;
- afi = nf_tables_afinfo_lookup(family, false);
+ afi = nf_tables_afinfo_lookup(net, family, false);
if (IS_ERR(afi))
return PTR_ERR(afi);
@@ -591,7 +596,7 @@ static int nf_tables_chain_notify(const struct sk_buff *oskb,
struct sk_buff *skb;
u32 portid = oskb ? NETLINK_CB(oskb).portid : 0;
u32 seq = nlh ? nlh->nlmsg_seq : 0;
- struct net *net = oskb ? sock_net(oskb->sk) : &init_net;
+ struct net *net = sock_net(oskb->sk);
bool report;
int err;
@@ -627,9 +632,10 @@ static int nf_tables_dump_chains(struct sk_buff *skb,
const struct nft_table *table;
const struct nft_chain *chain;
unsigned int idx = 0, s_idx = cb->args[0];
+ struct net *net = sock_net(skb->sk);
int family = nfmsg->nfgen_family;
- list_for_each_entry(afi, &nf_tables_afinfo, list) {
+ list_for_each_entry(afi, &net->nft.af_info, list) {
if (family != NFPROTO_UNSPEC && family != afi->family)
continue;
@@ -666,6 +672,7 @@ static int nf_tables_getchain(struct sock *nlsk, struct sk_buff *skb,
const struct nft_table *table;
const struct nft_chain *chain;
struct sk_buff *skb2;
+ struct net *net = sock_net(skb->sk);
int family = nfmsg->nfgen_family;
int err;
@@ -676,7 +683,7 @@ static int nf_tables_getchain(struct sock *nlsk, struct sk_buff *skb,
return netlink_dump_start(nlsk, skb, nlh, &c);
}
- afi = nf_tables_afinfo_lookup(family, false);
+ afi = nf_tables_afinfo_lookup(net, family, false);
if (IS_ERR(afi))
return PTR_ERR(afi);
@@ -732,6 +739,7 @@ static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
struct nft_chain *chain;
struct nft_base_chain *basechain = NULL;
struct nlattr *ha[NFTA_HOOK_MAX + 1];
+ struct net *net = sock_net(skb->sk);
int family = nfmsg->nfgen_family;
u64 handle = 0;
int err;
@@ -739,7 +747,7 @@ static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
- afi = nf_tables_afinfo_lookup(family, true);
+ afi = nf_tables_afinfo_lookup(net, family, true);
if (IS_ERR(afi))
return PTR_ERR(afi);
@@ -882,9 +890,10 @@ static int nf_tables_delchain(struct sock *nlsk, struct sk_buff *skb,
const struct nft_af_info *afi;
struct nft_table *table;
struct nft_chain *chain;
+ struct net *net = sock_net(skb->sk);
int family = nfmsg->nfgen_family;
- afi = nf_tables_afinfo_lookup(family, false);
+ afi = nf_tables_afinfo_lookup(net, family, false);
if (IS_ERR(afi))
return PTR_ERR(afi);
@@ -919,6 +928,7 @@ static void nft_ctx_init(struct nft_ctx *ctx,
const struct nft_table *table,
const struct nft_chain *chain)
{
+ ctx->net = sock_net(skb->sk);
ctx->skb = skb;
ctx->nlh = nlh;
ctx->afi = afi;
@@ -1228,9 +1238,10 @@ static int nf_tables_dump_rules(struct sk_buff *skb,
const struct nft_chain *chain;
const struct nft_rule *rule;
unsigned int idx = 0, s_idx = cb->args[0];
+ struct net *net = sock_net(skb->sk);
int family = nfmsg->nfgen_family;
- list_for_each_entry(afi, &nf_tables_afinfo, list) {
+ list_for_each_entry(afi, &net->nft.af_info, list) {
if (family != NFPROTO_UNSPEC && family != afi->family)
continue;
@@ -1269,6 +1280,7 @@ static int nf_tables_getrule(struct sock *nlsk, struct sk_buff *skb,
const struct nft_chain *chain;
const struct nft_rule *rule;
struct sk_buff *skb2;
+ struct net *net = sock_net(skb->sk);
int family = nfmsg->nfgen_family;
int err;
@@ -1279,7 +1291,7 @@ static int nf_tables_getrule(struct sock *nlsk, struct sk_buff *skb,
return netlink_dump_start(nlsk, skb, nlh, &c);
}
- afi = nf_tables_afinfo_lookup(family, false);
+ afi = nf_tables_afinfo_lookup(net, family, false);
if (IS_ERR(afi))
return PTR_ERR(afi);
@@ -1344,6 +1356,7 @@ static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
{
const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
const struct nft_af_info *afi;
+ struct net *net = sock_net(skb->sk);
struct nft_table *table;
struct nft_chain *chain;
struct nft_rule *rule, *old_rule = NULL;
@@ -1357,7 +1370,7 @@ static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
- afi = nf_tables_afinfo_lookup(nfmsg->nfgen_family, create);
+ afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
if (IS_ERR(afi))
return PTR_ERR(afi);
@@ -1452,12 +1465,13 @@ static int nf_tables_delrule(struct sock *nlsk, struct sk_buff *skb,
{
const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
const struct nft_af_info *afi;
+ struct net *net = sock_net(skb->sk);
const struct nft_table *table;
struct nft_chain *chain;
struct nft_rule *rule, *tmp;
int family = nfmsg->nfgen_family;
- afi = nf_tables_afinfo_lookup(family, false);
+ afi = nf_tables_afinfo_lookup(net, family, false);
if (IS_ERR(afi))
return PTR_ERR(afi);
@@ -1564,11 +1578,12 @@ static int nft_ctx_init_from_setattr(struct nft_ctx *ctx,
const struct nlmsghdr *nlh,
const struct nlattr * const nla[])
{
+ struct net *net = sock_net(skb->sk);
const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
const struct nft_af_info *afi;
const struct nft_table *table;
- afi = nf_tables_afinfo_lookup(nfmsg->nfgen_family, false);
+ afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
if (IS_ERR(afi))
return PTR_ERR(afi);
@@ -1683,12 +1698,11 @@ static int nf_tables_set_notify(const struct nft_ctx *ctx,
{
struct sk_buff *skb;
u32 portid = NETLINK_CB(ctx->skb).portid;
- struct net *net = sock_net(ctx->skb->sk);
bool report;
int err;
report = nlmsg_report(ctx->nlh);
- if (!report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
+ if (!report && !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
return 0;
err = -ENOBUFS;
@@ -1702,11 +1716,11 @@ static int nf_tables_set_notify(const struct nft_ctx *ctx,
goto err;
}
- err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report,
+ err = nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, report,
GFP_KERNEL);
err:
if (err < 0)
- nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
+ nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, err);
return err;
}
@@ -1792,6 +1806,7 @@ static int nf_tables_newset(struct sock *nlsk, struct sk_buff *skb,
const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
const struct nft_set_ops *ops;
const struct nft_af_info *afi;
+ struct net *net = sock_net(skb->sk);
struct nft_table *table;
struct nft_set *set;
struct nft_ctx ctx;
@@ -1851,7 +1866,7 @@ static int nf_tables_newset(struct sock *nlsk, struct sk_buff *skb,
create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
- afi = nf_tables_afinfo_lookup(nfmsg->nfgen_family, create);
+ afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
if (IS_ERR(afi))
return PTR_ERR(afi);
@@ -2036,7 +2051,7 @@ static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx,
const struct nft_af_info *afi;
const struct nft_table *table;
- afi = nf_tables_afinfo_lookup(nfmsg->nfgen_family, false);
+ afi = nf_tables_afinfo_lookup(ctx->net, nfmsg->nfgen_family, false);
if (IS_ERR(afi))
return PTR_ERR(afi);
@@ -2863,6 +2878,16 @@ static struct nf_chain_type filter_ipv6 = {
},
};
+static int nf_tables_init_net(struct net *net)
+{
+ INIT_LIST_HEAD(&net->nft.af_info);
+ return 0;
+}
+
+static struct pernet_operations nf_tables_net_ops = {
+ .init = nf_tables_init_net,
+};
+
static int __init nf_tables_module_init(void)
{
int err;
@@ -2886,7 +2911,7 @@ static int __init nf_tables_module_init(void)
nft_register_chain_type(&filter_ipv6);
pr_info("nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net>\n");
- return 0;
+ return register_pernet_subsys(&nf_tables_net_ops);
err3:
nf_tables_core_module_exit();
err2:
@@ -2897,6 +2922,7 @@ err1:
static void __exit nf_tables_module_exit(void)
{
+ unregister_pernet_subsys(&nf_tables_net_ops);
nft_unregister_chain_type(&filter_ipv4);
nft_unregister_chain_type(&filter_ipv6);
nfnetlink_subsys_unregister(&nf_tables_subsys);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 4+ messages in thread