From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org
Subject: [PATCH 22/25] netfilter: nf_tables: use new transaction infrastructure to handle elements
Date: Wed, 21 May 2014 11:43:19 +0200 [thread overview]
Message-ID: <1400665402-5835-22-git-send-email-pablo@netfilter.org> (raw)
In-Reply-To: <1400665402-5835-1-git-send-email-pablo@netfilter.org>
Leave the set content in consistent state if we fail to load the
batch. Use the new generic transaction infrastructure to achieve
this.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/net/netfilter/nf_tables.h | 10 +++++
net/netfilter/nf_tables_api.c | 82 ++++++++++++++++++++++++++++++-------
2 files changed, 78 insertions(+), 14 deletions(-)
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 15bf745..b08f2a9 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -446,6 +446,16 @@ struct nft_trans_table {
#define nft_trans_table_enable(trans) \
(((struct nft_trans_table *)trans->data)->enable)
+struct nft_trans_elem {
+ struct nft_set *set;
+ struct nft_set_elem elem;
+};
+
+#define nft_trans_elem_set(trans) \
+ (((struct nft_trans_elem *)trans->data)->set)
+#define nft_trans_elem(trans) \
+ (((struct nft_trans_elem *)trans->data)->elem)
+
static inline struct nft_expr *nft_expr_first(const struct nft_rule *rule)
{
return (struct nft_expr *)&rule->data[0];
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 3e685db..cd00293 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -2993,7 +2993,21 @@ err:
return err;
}
-static int nft_add_set_elem(const struct nft_ctx *ctx, struct nft_set *set,
+static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
+ int msg_type,
+ struct nft_set *set)
+{
+ struct nft_trans *trans;
+
+ trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
+ if (trans == NULL)
+ return NULL;
+
+ nft_trans_elem_set(trans) = set;
+ return trans;
+}
+
+static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
const struct nlattr *attr)
{
struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
@@ -3001,6 +3015,7 @@ static int nft_add_set_elem(const struct nft_ctx *ctx, struct nft_set *set,
struct nft_set_elem elem;
struct nft_set_binding *binding;
enum nft_registers dreg;
+ struct nft_trans *trans;
int err;
if (set->size && set->nelems == set->size)
@@ -3068,14 +3083,20 @@ static int nft_add_set_elem(const struct nft_ctx *ctx, struct nft_set *set,
}
}
+ trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
+ if (trans == NULL)
+ goto err3;
+
err = set->ops->insert(set, &elem);
if (err < 0)
- goto err3;
- set->nelems++;
+ goto err4;
- nf_tables_setelem_notify(ctx, set, &elem, NFT_MSG_NEWSETELEM, 0);
+ nft_trans_elem(trans) = elem;
+ list_add(&trans->list, &ctx->net->nft.commit_list);
return 0;
+err4:
+ kfree(trans);
err3:
if (nla[NFTA_SET_ELEM_DATA] != NULL)
nft_data_uninit(&elem.data, d2.type);
@@ -3093,7 +3114,7 @@ static int nf_tables_newsetelem(struct sock *nlsk, struct sk_buff *skb,
const struct nlattr *attr;
struct nft_set *set;
struct nft_ctx ctx;
- int rem, err;
+ int rem, err = 0;
err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla, true);
if (err < 0)
@@ -3115,17 +3136,18 @@ static int nf_tables_newsetelem(struct sock *nlsk, struct sk_buff *skb,
nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
err = nft_add_set_elem(&ctx, set, attr);
if (err < 0)
- return err;
+ break;
}
- return 0;
+ return err;
}
-static int nft_del_setelem(const struct nft_ctx *ctx, struct nft_set *set,
+static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
const struct nlattr *attr)
{
struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
struct nft_data_desc desc;
struct nft_set_elem elem;
+ struct nft_trans *trans;
int err;
err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
@@ -3149,10 +3171,12 @@ static int nft_del_setelem(const struct nft_ctx *ctx, struct nft_set *set,
if (err < 0)
goto err2;
- set->ops->remove(set, &elem);
- set->nelems--;
+ trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
+ if (trans == NULL)
+ goto err2;
- nf_tables_setelem_notify(ctx, set, &elem, NFT_MSG_DELSETELEM, 0);
+ nft_trans_elem(trans) = elem;
+ list_add(&trans->list, &ctx->net->nft.commit_list);
nft_data_uninit(&elem.key, NFT_DATA_VALUE);
if (set->flags & NFT_SET_MAP)
@@ -3171,7 +3195,7 @@ static int nf_tables_delsetelem(struct sock *nlsk, struct sk_buff *skb,
const struct nlattr *attr;
struct nft_set *set;
struct nft_ctx ctx;
- int rem, err;
+ int rem, err = 0;
err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla, false);
if (err < 0)
@@ -3186,9 +3210,9 @@ static int nf_tables_delsetelem(struct sock *nlsk, struct sk_buff *skb,
nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
err = nft_del_setelem(&ctx, set, attr);
if (err < 0)
- return err;
+ break;
}
- return 0;
+ return err;
}
static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
@@ -3294,6 +3318,7 @@ static int nf_tables_commit(struct sk_buff *skb)
{
struct net *net = sock_net(skb->sk);
struct nft_trans *trans, *next;
+ struct nft_set *set;
/* Bump generation counter, invalidate any dump in progress */
net->nft.genctr++;
@@ -3385,6 +3410,25 @@ static int nf_tables_commit(struct sk_buff *skb)
nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
NFT_MSG_DELSET);
break;
+ case NFT_MSG_NEWSETELEM:
+ nft_trans_elem_set(trans)->nelems++;
+ nf_tables_setelem_notify(&trans->ctx,
+ nft_trans_elem_set(trans),
+ &nft_trans_elem(trans),
+ NFT_MSG_NEWSETELEM, 0);
+ nft_trans_destroy(trans);
+ break;
+ case NFT_MSG_DELSETELEM:
+ nft_trans_elem_set(trans)->nelems--;
+ nf_tables_setelem_notify(&trans->ctx,
+ nft_trans_elem_set(trans),
+ &nft_trans_elem(trans),
+ NFT_MSG_DELSETELEM, 0);
+ set = nft_trans_elem_set(trans);
+ set->ops->get(set, &nft_trans_elem(trans));
+ set->ops->remove(set, &nft_trans_elem(trans));
+ nft_trans_destroy(trans);
+ break;
}
}
@@ -3418,6 +3462,7 @@ static int nf_tables_abort(struct sk_buff *skb)
{
struct net *net = sock_net(skb->sk);
struct nft_trans *trans, *next;
+ struct nft_set *set;
list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
switch (trans->msg_type) {
@@ -3473,6 +3518,15 @@ static int nf_tables_abort(struct sk_buff *skb)
&trans->ctx.table->sets);
nft_trans_destroy(trans);
break;
+ case NFT_MSG_NEWSETELEM:
+ set = nft_trans_elem_set(trans);
+ set->ops->get(set, &nft_trans_elem(trans));
+ set->ops->remove(set, &nft_trans_elem(trans));
+ nft_trans_destroy(trans);
+ break;
+ case NFT_MSG_DELSETELEM:
+ nft_trans_destroy(trans);
+ break;
}
}
--
1.7.10.4
next prev parent reply other threads:[~2014-05-21 9:43 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-21 9:42 [PATCH 00/25] Netfilter/nftables updates for net-next Pablo Neira Ayuso
2014-05-21 9:42 ` [PATCH 01/25] netfilter: nft_ct: add missing ifdef for NFT_MARK setting Pablo Neira Ayuso
2014-05-21 9:43 ` [PATCH 02/25] netfilter: nft_meta: split nft_meta_init() into two functions for get/set Pablo Neira Ayuso
2014-05-21 9:43 ` [PATCH 03/25] netfilter: nft_ct: split nft_ct_init() " Pablo Neira Ayuso
2014-05-21 9:43 ` [PATCH 04/25] netfilter: nf_tables: implement proper set selection Pablo Neira Ayuso
2014-05-21 9:43 ` [PATCH 05/25] netfilter: nft_hash: use set global element counter instead of private one Pablo Neira Ayuso
2014-05-21 9:43 ` [PATCH 06/25] netfilter: nf_tables: add set_elem notifications Pablo Neira Ayuso
2014-05-21 9:43 ` [PATCH 07/25] netfilter: nf_tables: handle more than 8 * PAGE_SIZE set name allocations Pablo Neira Ayuso
2014-05-21 9:43 ` [PATCH 08/25] netfilter: nf_tables: Stack expression type depending on their family Pablo Neira Ayuso
2014-05-21 9:43 ` [PATCH 10/25] netfilter: nf_tables: Add meta expression key for bridge interface name Pablo Neira Ayuso
2014-05-21 9:43 ` [PATCH 11/25] netfilter: nf_tables: relax string validation of NFTA_CHAIN_TYPE Pablo Neira Ayuso
2014-05-21 9:43 ` [PATCH 12/25] netfilter: nf_tables: deconstify table and chain in context structure Pablo Neira Ayuso
2014-05-21 9:43 ` [PATCH 13/25] netfilter: nf_tables: generalise transaction infrastructure Pablo Neira Ayuso
2014-05-21 9:43 ` [PATCH 14/25] netfilter: nf_tables: relocate commit and abort routines in the source file Pablo Neira Ayuso
2014-05-21 9:43 ` [PATCH 15/25] netfilter: nf_tables: add message type to transactions Pablo Neira Ayuso
2014-05-21 9:43 ` [PATCH 16/25] netfilter: nf_tables: use new transaction infrastructure to handle sets Pablo Neira Ayuso
2014-05-21 9:43 ` [PATCH 17/25] netfilter: nf_tables: refactor chain statistic routines Pablo Neira Ayuso
2014-05-21 9:43 ` [PATCH 18/25] netfilter: nf_tables: use new transaction infrastructure to handle chain Pablo Neira Ayuso
2014-05-21 9:43 ` [PATCH 19/25] netfilter: nf_tables: disabling table hooks always succeeds Pablo Neira Ayuso
2014-05-21 9:43 ` [PATCH 20/25] netfilter: nf_tables: pass context to nf_tables_updtable() Pablo Neira Ayuso
2014-05-21 9:43 ` [PATCH 21/25] netfilter: nf_tables: use new transaction infrastructure to handle table Pablo Neira Ayuso
2014-05-21 9:43 ` Pablo Neira Ayuso [this message]
2014-05-21 9:43 ` [PATCH 23/25] netfilter: nf_tables: simplify nf_tables_*_notify Pablo Neira Ayuso
2014-05-21 9:43 ` [PATCH 24/25] netfilter: nf_tables: remove skb and nlh from context structure Pablo Neira Ayuso
2014-05-21 9:43 ` [PATCH 25/25] netfilter: nf_tables: defer all object release via rcu Pablo Neira Ayuso
2014-05-22 16:09 ` [PATCH 00/25] Netfilter/nftables updates for net-next David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1400665402-5835-22-git-send-email-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).