From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org
Subject: [PATCH 19/29] netfilter: nf_tables: honor NLM_F_EXCL flag in set element insertion
Date: Mon, 5 Sep 2016 12:58:34 +0200 [thread overview]
Message-ID: <1473073124-5015-20-git-send-email-pablo@netfilter.org> (raw)
In-Reply-To: <1473073124-5015-1-git-send-email-pablo@netfilter.org>
If the NLM_F_EXCL flag is set, then new elements that clash with an
existing one return EEXIST. In case you try to add an element whose
data area differs from what we have, then this returns EBUSY. If no
flag is specified at all, then this returns success to userspace.
This patch also update the set insert operation so we can fetch the
existing element that clashes with the one you want to add, we need
this to make sure the element data doesn't differ.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/net/netfilter/nf_tables.h | 3 ++-
net/netfilter/nf_tables_api.c | 20 +++++++++++++++-----
net/netfilter/nft_set_hash.c | 17 +++++++++++++----
net/netfilter/nft_set_rbtree.c | 12 ++++++++----
4 files changed, 38 insertions(+), 14 deletions(-)
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index f2f1339..8972468 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -251,7 +251,8 @@ struct nft_set_ops {
int (*insert)(const struct net *net,
const struct nft_set *set,
- const struct nft_set_elem *elem);
+ const struct nft_set_elem *elem,
+ struct nft_set_ext **ext);
void (*activate)(const struct net *net,
const struct nft_set *set,
const struct nft_set_elem *elem);
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 221d27f..bd9715e 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -3483,12 +3483,12 @@ static int nft_setelem_parse_flags(const struct nft_set *set,
}
static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
- const struct nlattr *attr)
+ const struct nlattr *attr, u32 nlmsg_flags)
{
struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
struct nft_data_desc d1, d2;
struct nft_set_ext_tmpl tmpl;
- struct nft_set_ext *ext;
+ struct nft_set_ext *ext, *ext2;
struct nft_set_elem elem;
struct nft_set_binding *binding;
struct nft_userdata *udata;
@@ -3615,9 +3615,19 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
goto err4;
ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
- err = set->ops->insert(ctx->net, set, &elem);
- if (err < 0)
+ err = set->ops->insert(ctx->net, set, &elem, &ext2);
+ if (err) {
+ if (err == -EEXIST) {
+ if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
+ nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
+ memcmp(nft_set_ext_data(ext),
+ nft_set_ext_data(ext2), set->dlen) != 0)
+ err = -EBUSY;
+ else if (!(nlmsg_flags & NLM_F_EXCL))
+ err = 0;
+ }
goto err5;
+ }
nft_trans_elem(trans) = elem;
list_add_tail(&trans->list, &ctx->net->nft.commit_list);
@@ -3673,7 +3683,7 @@ static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
!atomic_add_unless(&set->nelems, 1, set->size + set->ndeact))
return -ENFILE;
- err = nft_add_set_elem(&ctx, set, attr);
+ err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
if (err < 0) {
atomic_dec(&set->nelems);
break;
diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c
index 564fa79..3794cb2 100644
--- a/net/netfilter/nft_set_hash.c
+++ b/net/netfilter/nft_set_hash.c
@@ -126,7 +126,8 @@ err1:
}
static int nft_hash_insert(const struct net *net, const struct nft_set *set,
- const struct nft_set_elem *elem)
+ const struct nft_set_elem *elem,
+ struct nft_set_ext **ext)
{
struct nft_hash *priv = nft_set_priv(set);
struct nft_hash_elem *he = elem->priv;
@@ -135,9 +136,17 @@ static int nft_hash_insert(const struct net *net, const struct nft_set *set,
.set = set,
.key = elem->key.val.data,
};
-
- return rhashtable_lookup_insert_key(&priv->ht, &arg, &he->node,
- nft_hash_params);
+ struct nft_hash_elem *prev;
+
+ prev = rhashtable_lookup_get_insert_key(&priv->ht, &arg, &he->node,
+ nft_hash_params);
+ if (IS_ERR(prev))
+ return PTR_ERR(prev);
+ if (prev) {
+ *ext = &prev->ext;
+ return -EEXIST;
+ }
+ return 0;
}
static void nft_hash_activate(const struct net *net, const struct nft_set *set,
diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c
index 6473936..038682d 100644
--- a/net/netfilter/nft_set_rbtree.c
+++ b/net/netfilter/nft_set_rbtree.c
@@ -94,7 +94,8 @@ out:
}
static int __nft_rbtree_insert(const struct net *net, const struct nft_set *set,
- struct nft_rbtree_elem *new)
+ struct nft_rbtree_elem *new,
+ struct nft_set_ext **ext)
{
struct nft_rbtree *priv = nft_set_priv(set);
u8 genmask = nft_genmask_next(net);
@@ -122,8 +123,10 @@ static int __nft_rbtree_insert(const struct net *net, const struct nft_set *set,
else if (!nft_rbtree_interval_end(rbe) &&
nft_rbtree_interval_end(new))
p = &parent->rb_right;
- else
+ else {
+ *ext = &rbe->ext;
return -EEXIST;
+ }
}
}
}
@@ -133,13 +136,14 @@ static int __nft_rbtree_insert(const struct net *net, const struct nft_set *set,
}
static int nft_rbtree_insert(const struct net *net, const struct nft_set *set,
- const struct nft_set_elem *elem)
+ const struct nft_set_elem *elem,
+ struct nft_set_ext **ext)
{
struct nft_rbtree_elem *rbe = elem->priv;
int err;
spin_lock_bh(&nft_rbtree_lock);
- err = __nft_rbtree_insert(net, set, rbe);
+ err = __nft_rbtree_insert(net, set, rbe, ext);
spin_unlock_bh(&nft_rbtree_lock);
return err;
--
2.1.4
next prev parent reply other threads:[~2016-09-05 10:58 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-05 10:58 [PATCH 00/29] Netfilter updates for net-next Pablo Neira Ayuso
2016-09-05 10:58 ` [PATCH 01/29] netfilter: conntrack: Only need first 4 bytes to get l4proto ports Pablo Neira Ayuso
2016-09-05 10:58 ` [PATCH 02/29] netfilter: physdev: add missed blank Pablo Neira Ayuso
2016-09-05 17:43 ` Joe Perches
2016-09-05 10:58 ` [PATCH 03/29] netfilter: nf_dup4: remove redundant checksum recalculation Pablo Neira Ayuso
2016-09-05 10:58 ` [PATCH 04/29] netfilter: use_nf_conn_expires helper in more places Pablo Neira Ayuso
2016-09-05 10:58 ` [PATCH 05/29] ipvs: use nf_ct_kill helper Pablo Neira Ayuso
2016-09-05 10:58 ` [PATCH 06/29] netfilter: nf_tables: rename set implementations Pablo Neira Ayuso
2016-09-05 10:58 ` [PATCH 07/29] netfilter: nf_tables: add hash expression Pablo Neira Ayuso
2016-09-05 10:58 ` [PATCH 08/29] netfilter: remove ip_conntrack* sysctl compat code Pablo Neira Ayuso
2016-09-05 10:58 ` [PATCH 09/29] netfilter: conntrack: simplify the code by using nf_conntrack_get_ht Pablo Neira Ayuso
2016-09-05 10:58 ` [PATCH 10/29] netfilter: nf_conntrack: restore nf_conntrack_htable_size as exported symbol Pablo Neira Ayuso
2016-09-05 10:58 ` [PATCH 11/29] netfilter: nf_tables: add quota expression Pablo Neira Ayuso
2016-09-05 10:58 ` [PATCH 12/29] netfilter: nf_tables: add number generator expression Pablo Neira Ayuso
2016-09-05 10:58 ` [PATCH 13/29] netfilter: fix spelling mistake: "delimitter" -> "delimiter" Pablo Neira Ayuso
2016-09-05 10:58 ` [PATCH 14/29] netfilter: nft_hash: fix non static symbol warning Pablo Neira Ayuso
2016-09-05 10:58 ` [PATCH 15/29] netfilter: nf_tables: typo in trace attribute definition Pablo Neira Ayuso
2016-09-05 10:58 ` [PATCH 16/29] netfilter: nf_tables: introduce nft_chain_parse_hook() Pablo Neira Ayuso
2016-09-05 10:58 ` [PATCH 17/29] netfilter: nf_tables: reject hook configuration updates on existing chains Pablo Neira Ayuso
2016-09-05 10:58 ` [PATCH 18/29] rhashtable: add rhashtable_lookup_get_insert_key() Pablo Neira Ayuso
2016-09-05 10:58 ` Pablo Neira Ayuso [this message]
2016-09-05 10:58 ` [PATCH 20/29] netfilter: nf_tables: Use nla_put_be32() to dump immediate parameters Pablo Neira Ayuso
2016-09-05 10:58 ` [PATCH 21/29] netfilter: restart search if moved to other chain Pablo Neira Ayuso
2016-09-05 10:58 ` [PATCH 22/29] netfilter: don't rely on DYING bit to detect when destroy event was sent Pablo Neira Ayuso
2016-09-05 10:58 ` [PATCH 23/29] netfilter: conntrack: get rid of conntrack timer Pablo Neira Ayuso
2016-09-05 10:58 ` [PATCH 24/29] netfilter: evict stale entries on netlink dumps Pablo Neira Ayuso
2016-09-05 10:58 ` [PATCH 25/29] netfilter: conntrack: add gc worker to remove timed-out entries Pablo Neira Ayuso
2016-09-05 10:58 ` [PATCH 26/29] netfilter: conntrack: resched gc again if eviction rate is high Pablo Neira Ayuso
2016-09-05 10:58 ` [PATCH 27/29] netfilter: remove __nf_ct_kill_acct helper Pablo Neira Ayuso
2016-09-05 10:58 ` [PATCH 28/29] netfilter: log_arp: Use ARPHRD_ETHER instead of literal '1' Pablo Neira Ayuso
2016-09-05 10:58 ` [PATCH 29/29] netfilter: log: Check param to avoid overflow in nf_log_set Pablo Neira Ayuso
2016-09-06 19:47 ` [PATCH 00/29] Netfilter updates for net-next David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1473073124-5015-20-git-send-email-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).