From: Joe Stringer <joestringer@nicira.com>
To: netdev@vger.kernel.org, pshelar@nicira.com
Cc: linux-kernel@vger.kernel.org, pablo@netfilter.org,
fwestpha@redhat.com, hannes@redhat.com, tgraf@suug.ch,
jpettit@nicira.com, jesse@nicira.com,
netfilter-devel@vger.kernel.org
Subject: [PATCHv6 net-next 08/10] netfilter: connlabels: Export setting connlabel length
Date: Wed, 26 Aug 2015 11:31:51 -0700 [thread overview]
Message-ID: <1440613913-10141-9-git-send-email-joestringer@nicira.com> (raw)
In-Reply-To: <1440613913-10141-1-git-send-email-joestringer@nicira.com>
Add functions to change connlabel length into nf_conntrack_labels.c so
they may be reused by other modules like OVS and nftables without
needing to jump through xt_match_check() hoops.
Suggested-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Joe Stringer <joestringer@nicira.com>
Acked-by: Florian Westphal <fw@strlen.de>
Acked-by: Thomas Graf <tgraf@suug.ch>
---
v2: Protect connlabel modification with spinlock.
Fix reference leak in error case.
Style fixups.
v3: No change.
v4-v5: Add acks.
---
include/net/netfilter/nf_conntrack_labels.h | 4 ++++
net/netfilter/nf_conntrack_labels.c | 32 +++++++++++++++++++++++++++++
net/netfilter/xt_connlabel.c | 16 ++++-----------
3 files changed, 40 insertions(+), 12 deletions(-)
diff --git a/include/net/netfilter/nf_conntrack_labels.h b/include/net/netfilter/nf_conntrack_labels.h
index dec6336..7e2b1d0 100644
--- a/include/net/netfilter/nf_conntrack_labels.h
+++ b/include/net/netfilter/nf_conntrack_labels.h
@@ -54,7 +54,11 @@ int nf_connlabels_replace(struct nf_conn *ct,
#ifdef CONFIG_NF_CONNTRACK_LABELS
int nf_conntrack_labels_init(void);
void nf_conntrack_labels_fini(void);
+int nf_connlabels_get(struct net *net, unsigned int n_bits);
+void nf_connlabels_put(struct net *net);
#else
static inline int nf_conntrack_labels_init(void) { return 0; }
static inline void nf_conntrack_labels_fini(void) {}
+static inline int nf_connlabels_get(struct net *net, unsigned int n_bits) { return 0; }
+static inline void nf_connlabels_put(struct net *net) {}
#endif
diff --git a/net/netfilter/nf_conntrack_labels.c b/net/netfilter/nf_conntrack_labels.c
index daa7c13..3ce5c31 100644
--- a/net/netfilter/nf_conntrack_labels.c
+++ b/net/netfilter/nf_conntrack_labels.c
@@ -14,6 +14,8 @@
#include <net/netfilter/nf_conntrack_ecache.h>
#include <net/netfilter/nf_conntrack_labels.h>
+static spinlock_t nf_connlabels_lock;
+
static unsigned int label_bits(const struct nf_conn_labels *l)
{
unsigned int longs = l->words;
@@ -89,6 +91,35 @@ int nf_connlabels_replace(struct nf_conn *ct,
}
EXPORT_SYMBOL_GPL(nf_connlabels_replace);
+int nf_connlabels_get(struct net *net, unsigned int n_bits)
+{
+ size_t words;
+
+ if (n_bits > (NF_CT_LABELS_MAX_SIZE * BITS_PER_BYTE))
+ return -ERANGE;
+
+ words = BITS_TO_LONGS(n_bits);
+
+ spin_lock(&nf_connlabels_lock);
+ net->ct.labels_used++;
+ if (words > net->ct.label_words)
+ net->ct.label_words = words;
+ spin_unlock(&nf_connlabels_lock);
+
+ return 0;
+}
+EXPORT_SYMBOL_GPL(nf_connlabels_get);
+
+void nf_connlabels_put(struct net *net)
+{
+ spin_lock(&nf_connlabels_lock);
+ net->ct.labels_used--;
+ if (net->ct.labels_used == 0)
+ net->ct.label_words = 0;
+ spin_unlock(&nf_connlabels_lock);
+}
+EXPORT_SYMBOL_GPL(nf_connlabels_put);
+
static struct nf_ct_ext_type labels_extend __read_mostly = {
.len = sizeof(struct nf_conn_labels),
.align = __alignof__(struct nf_conn_labels),
@@ -97,6 +128,7 @@ static struct nf_ct_ext_type labels_extend __read_mostly = {
int nf_conntrack_labels_init(void)
{
+ spin_lock_init(&nf_connlabels_lock);
return nf_ct_extend_register(&labels_extend);
}
diff --git a/net/netfilter/xt_connlabel.c b/net/netfilter/xt_connlabel.c
index 9f8719d..bb9cbeb 100644
--- a/net/netfilter/xt_connlabel.c
+++ b/net/netfilter/xt_connlabel.c
@@ -42,10 +42,6 @@ static int connlabel_mt_check(const struct xt_mtchk_param *par)
XT_CONNLABEL_OP_SET;
struct xt_connlabel_mtinfo *info = par->matchinfo;
int ret;
- size_t words;
-
- if (info->bit > XT_CONNLABEL_MAXBIT)
- return -ERANGE;
if (info->options & ~options) {
pr_err("Unknown options in mask %x\n", info->options);
@@ -59,19 +55,15 @@ static int connlabel_mt_check(const struct xt_mtchk_param *par)
return ret;
}
- par->net->ct.labels_used++;
- words = BITS_TO_LONGS(info->bit+1);
- if (words > par->net->ct.label_words)
- par->net->ct.label_words = words;
-
+ ret = nf_connlabels_get(par->net, info->bit + 1);
+ if (ret < 0)
+ nf_ct_l3proto_module_put(par->family);
return ret;
}
static void connlabel_mt_destroy(const struct xt_mtdtor_param *par)
{
- par->net->ct.labels_used--;
- if (par->net->ct.labels_used == 0)
- par->net->ct.label_words = 0;
+ nf_connlabels_put(par->net);
nf_ct_l3proto_module_put(par->family);
}
--
2.1.4
next prev parent reply other threads:[~2015-08-26 18:31 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-26 18:31 [PATCHv6 net-next 00/10] OVS conntrack support Joe Stringer
2015-08-26 18:31 ` [PATCHv6 net-next 01/10] openvswitch: Serialize acts with original netlink len Joe Stringer
2015-08-26 18:31 ` [PATCHv6 net-next 02/10] openvswitch: Move MASKED* macros to datapath.h Joe Stringer
2015-08-26 18:31 ` [PATCHv6 net-next 03/10] ipv6: Export nf_ct_frag6_gather() Joe Stringer
2015-08-26 18:31 ` [PATCHv6 net-next 04/10] dst: Add __skb_dst_copy() variation Joe Stringer
2015-08-26 18:31 ` [PATCHv6 net-next 05/10] openvswitch: Add conntrack action Joe Stringer
2015-08-26 18:55 ` Joe Stringer
2015-08-26 20:40 ` Pravin Shelar
2015-08-26 18:31 ` [PATCHv6 net-next 06/10] openvswitch: Allow matching on conntrack mark Joe Stringer
2015-08-26 18:31 ` [PATCHv6 net-next 07/10] netfilter: Always export nf_connlabels_replace() Joe Stringer
2015-08-26 18:31 ` Joe Stringer [this message]
2015-08-26 18:31 ` [PATCHv6 net-next 09/10] openvswitch: Allow matching on conntrack label Joe Stringer
2015-08-26 18:31 ` [PATCHv6 net-next 10/10] openvswitch: Allow attaching helpers to ct action Joe Stringer
2015-08-27 18:41 ` [PATCHv6 net-next 00/10] OVS conntrack support David Miller
2015-08-28 23:57 ` Simon Horman
2015-08-29 2:25 ` Joe Stringer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1440613913-10141-9-git-send-email-joestringer@nicira.com \
--to=joestringer@nicira.com \
--cc=fwestpha@redhat.com \
--cc=hannes@redhat.com \
--cc=jesse@nicira.com \
--cc=jpettit@nicira.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=pshelar@nicira.com \
--cc=tgraf@suug.ch \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).