From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org
Subject: [PATCH 15/17] netfilter: nf_tables: Add new attributes into nft_set to store user data.
Date: Fri, 8 Jan 2016 15:02:15 +0100 [thread overview]
Message-ID: <1452261737-7475-16-git-send-email-pablo@netfilter.org> (raw)
In-Reply-To: <1452261737-7475-1-git-send-email-pablo@netfilter.org>
From: Carlos Falgueras García <carlosfg@riseup.net>
User data is stored at after 'nft_set_ops' private data into 'data[]'
flexible array. The field 'udata' points to user data and 'udlen' stores
its length.
Add new flag NFTA_SET_USERDATA.
Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/net/netfilter/nf_tables.h | 4 ++++
include/uapi/linux/netfilter/nf_tables.h | 2 ++
net/netfilter/nf_tables_api.c | 21 ++++++++++++++++++++-
3 files changed, 26 insertions(+), 1 deletion(-)
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 0191fbb..f6b1daf 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -291,6 +291,8 @@ void nft_unregister_set(struct nft_set_ops *ops);
* @timeout: default timeout value in msecs
* @gc_int: garbage collection interval in msecs
* @policy: set parameterization (see enum nft_set_policies)
+ * @udlen: user data length
+ * @udata: user data
* @ops: set ops
* @pnet: network namespace
* @flags: set flags
@@ -310,6 +312,8 @@ struct nft_set {
u64 timeout;
u32 gc_int;
u16 policy;
+ u16 udlen;
+ unsigned char *udata;
/* runtime data below here */
const struct nft_set_ops *ops ____cacheline_aligned;
possible_net_t pnet;
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index 731288a..03c28a4 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -291,6 +291,7 @@ enum nft_set_desc_attributes {
* @NFTA_SET_ID: uniquely identifies a set in a transaction (NLA_U32)
* @NFTA_SET_TIMEOUT: default timeout value (NLA_U64)
* @NFTA_SET_GC_INTERVAL: garbage collection interval (NLA_U32)
+ * @NFTA_SET_USERDATA: user data (NLA_BINARY)
*/
enum nft_set_attributes {
NFTA_SET_UNSPEC,
@@ -306,6 +307,7 @@ enum nft_set_attributes {
NFTA_SET_ID,
NFTA_SET_TIMEOUT,
NFTA_SET_GC_INTERVAL,
+ NFTA_SET_USERDATA,
__NFTA_SET_MAX
};
#define NFTA_SET_MAX (__NFTA_SET_MAX - 1)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index f5c3971..2011977 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -2323,6 +2323,8 @@ static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
[NFTA_SET_ID] = { .type = NLA_U32 },
[NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
[NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
+ [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
+ .len = NFT_USERDATA_MAXLEN },
};
static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
@@ -2482,6 +2484,9 @@ static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
goto nla_put_failure;
}
+ if (nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
+ goto nla_put_failure;
+
desc = nla_nest_start(skb, NFTA_SET_DESC);
if (desc == NULL)
goto nla_put_failure;
@@ -2691,6 +2696,8 @@ static int nf_tables_newset(struct net *net, struct sock *nlsk,
u64 timeout;
u32 ktype, dtype, flags, policy, gc_int;
struct nft_set_desc desc;
+ unsigned char *udata;
+ u16 udlen;
int err;
if (nla[NFTA_SET_TABLE] == NULL ||
@@ -2803,12 +2810,16 @@ static int nf_tables_newset(struct net *net, struct sock *nlsk,
if (IS_ERR(ops))
return PTR_ERR(ops);
+ udlen = 0;
+ if (nla[NFTA_SET_USERDATA])
+ udlen = nla_len(nla[NFTA_SET_USERDATA]);
+
size = 0;
if (ops->privsize != NULL)
size = ops->privsize(nla);
err = -ENOMEM;
- set = kzalloc(sizeof(*set) + size, GFP_KERNEL);
+ set = kzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
if (set == NULL)
goto err1;
@@ -2817,6 +2828,12 @@ static int nf_tables_newset(struct net *net, struct sock *nlsk,
if (err < 0)
goto err2;
+ udata = NULL;
+ if (udlen) {
+ udata = set->data + size;
+ nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
+ }
+
INIT_LIST_HEAD(&set->bindings);
write_pnet(&set->pnet, net);
set->ops = ops;
@@ -2827,6 +2844,8 @@ static int nf_tables_newset(struct net *net, struct sock *nlsk,
set->flags = flags;
set->size = desc.size;
set->policy = policy;
+ set->udlen = udlen;
+ set->udata = udata;
set->timeout = timeout;
set->gc_int = gc_int;
--
2.1.4
next prev parent reply other threads:[~2016-01-08 14:02 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-08 14:02 [PATCH 00/17] Netfilter updates for net-next Pablo Neira Ayuso
2016-01-08 14:02 ` [PATCH 01/17] netfilter: nf_tables: release objects on netns destruction Pablo Neira Ayuso
2016-01-08 14:02 ` [PATCH 02/17] netfilter: nf_tables: destroy basechain and rules on netdevice removal Pablo Neira Ayuso
2016-01-08 14:02 ` [PATCH 03/17] netfilter: nf_tables: remove check against removal of inactive objects Pablo Neira Ayuso
2016-01-08 14:02 ` [PATCH 04/17] netfilter: nfnetlink: pass down netns pointer to call() and call_rcu() Pablo Neira Ayuso
2016-01-08 14:02 ` [PATCH 05/17] netfilter: nfnetlink: pass down netns pointer to commit() and abort() callbacks Pablo Neira Ayuso
2016-01-08 14:02 ` [PATCH 06/17] netfilter: nft_limit: allow to invert matching criteria Pablo Neira Ayuso
2016-01-08 14:02 ` [PATCH 07/17] netfilter: nf_tables: add packet duplication to the netdev family Pablo Neira Ayuso
2016-01-08 14:02 ` [PATCH 08/17] netfilter: nf_tables: add forward expression " Pablo Neira Ayuso
2016-01-08 14:02 ` [PATCH 09/17] netfilter: nf_ct_helper: define pr_fmt() Pablo Neira Ayuso
2016-01-08 14:02 ` [PATCH 10/17] netfilter: nfnetlink_queue: validate dependencies to avoid breaking atomicity Pablo Neira Ayuso
2016-01-08 14:02 ` [PATCH 11/17] netfilter: nfnetlink_queue: don't handle options after unbind Pablo Neira Ayuso
2016-01-08 14:02 ` [PATCH 12/17] netfilter: nfnetlink_queue: just returns error for unknown command Pablo Neira Ayuso
2016-01-08 14:02 ` [PATCH 13/17] netfilter: nfnetlink_queue: autoload nf_conntrack_netlink module NFQA_CFG_F_CONNTRACK config flag Pablo Neira Ayuso
2016-01-08 14:02 ` [PATCH 14/17] netfilter: nfnetlink_log: just returns error for unknown command Pablo Neira Ayuso
2016-01-08 14:02 ` Pablo Neira Ayuso [this message]
2016-01-08 14:02 ` [PATCH 16/17] netfilter: nft_byteorder: provide 64bit le/be conversion Pablo Neira Ayuso
2016-01-08 14:26 ` David Laight
2016-01-08 16:23 ` Florian Westphal
2016-01-08 16:41 ` David Laight
2016-01-08 16:55 ` Florian Westphal
2016-01-08 14:02 ` [PATCH 17/17] netfilter: nft_ct: add byte/packet counter support Pablo Neira Ayuso
2016-01-09 2:24 ` [PATCH 00/17] Netfilter updates for net-next David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1452261737-7475-16-git-send-email-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).