From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org
Subject: [PATCH 06/22] netfilter: nf_tables: validate the expr explicitly after init successfully
Date: Mon, 20 Mar 2017 11:08:34 +0100 [thread overview]
Message-ID: <1490004530-9128-7-git-send-email-pablo@netfilter.org> (raw)
In-Reply-To: <1490004530-9128-1-git-send-email-pablo@netfilter.org>
From: Liping Zhang <zlpnobody@gmail.com>
When we want to validate the expr's dependency or hooks, we must do two
things to accomplish it. First, write a X_validate callback function
and point ->validate to it. Second, call X_validate in init routine.
This is very common, such as fib, nat, reject expr and so on ...
It is a little ugly, since we will call X_validate in the expr's init
routine, it's better to do it in nf_tables_newexpr. So we can avoid to
do this again and again. After doing this, the second step listed above
is not useful anymore, remove them now.
Patch was tested by nftables/tests/py/nft-test.py and
nftables/tests/shell/run-tests.sh.
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/bridge/netfilter/nft_reject_bridge.c | 6 +-----
net/netfilter/nf_tables_api.c | 11 +++++++++++
net/netfilter/nft_compat.c | 8 --------
net/netfilter/nft_fib.c | 2 +-
net/netfilter/nft_masq.c | 4 ----
net/netfilter/nft_meta.c | 4 ----
net/netfilter/nft_nat.c | 4 ----
net/netfilter/nft_redir.c | 4 ----
net/netfilter/nft_reject.c | 5 -----
net/netfilter/nft_reject_inet.c | 6 +-----
10 files changed, 14 insertions(+), 40 deletions(-)
diff --git a/net/bridge/netfilter/nft_reject_bridge.c b/net/bridge/netfilter/nft_reject_bridge.c
index 206dc266ecd2..346ef6b00b8f 100644
--- a/net/bridge/netfilter/nft_reject_bridge.c
+++ b/net/bridge/netfilter/nft_reject_bridge.c
@@ -375,11 +375,7 @@ static int nft_reject_bridge_init(const struct nft_ctx *ctx,
const struct nlattr * const tb[])
{
struct nft_reject *priv = nft_expr_priv(expr);
- int icmp_code, err;
-
- err = nft_reject_bridge_validate(ctx, expr, NULL);
- if (err < 0)
- return err;
+ int icmp_code;
if (tb[NFTA_REJECT_TYPE] == NULL)
return -EINVAL;
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 5e0ccfd5bb37..fd8789eccc92 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1772,8 +1772,19 @@ static int nf_tables_newexpr(const struct nft_ctx *ctx,
goto err1;
}
+ if (ops->validate) {
+ const struct nft_data *data = NULL;
+
+ err = ops->validate(ctx, expr, &data);
+ if (err < 0)
+ goto err2;
+ }
+
return 0;
+err2:
+ if (ops->destroy)
+ ops->destroy(ctx, expr);
err1:
expr->ops = NULL;
return err;
diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
index c21e7eb8dce0..fab6bf3f955e 100644
--- a/net/netfilter/nft_compat.c
+++ b/net/netfilter/nft_compat.c
@@ -230,10 +230,6 @@ nft_target_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
union nft_entry e = {};
int ret;
- ret = nft_compat_chain_validate_dependency(target->table, ctx->chain);
- if (ret < 0)
- goto err;
-
target_compat_from_user(target, nla_data(tb[NFTA_TARGET_INFO]), info);
if (ctx->nla[NFTA_RULE_COMPAT]) {
@@ -419,10 +415,6 @@ nft_match_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
union nft_entry e = {};
int ret;
- ret = nft_compat_chain_validate_dependency(match->table, ctx->chain);
- if (ret < 0)
- goto err;
-
match_compat_from_user(match, nla_data(tb[NFTA_MATCH_INFO]), info);
if (ctx->nla[NFTA_RULE_COMPAT]) {
diff --git a/net/netfilter/nft_fib.c b/net/netfilter/nft_fib.c
index 29a4906adc27..fd0b19303b0d 100644
--- a/net/netfilter/nft_fib.c
+++ b/net/netfilter/nft_fib.c
@@ -112,7 +112,7 @@ int nft_fib_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
if (err < 0)
return err;
- return nft_fib_validate(ctx, expr, NULL);
+ return 0;
}
EXPORT_SYMBOL_GPL(nft_fib_init);
diff --git a/net/netfilter/nft_masq.c b/net/netfilter/nft_masq.c
index 11ce016cd479..6ac03d4266c9 100644
--- a/net/netfilter/nft_masq.c
+++ b/net/netfilter/nft_masq.c
@@ -46,10 +46,6 @@ int nft_masq_init(const struct nft_ctx *ctx,
struct nft_masq *priv = nft_expr_priv(expr);
int err;
- err = nft_masq_validate(ctx, expr, NULL);
- if (err)
- return err;
-
if (tb[NFTA_MASQ_FLAGS]) {
priv->flags = ntohl(nla_get_be32(tb[NFTA_MASQ_FLAGS]));
if (priv->flags & ~NF_NAT_RANGE_MASK)
diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
index e1f5ca9b423b..d14417aaf5d4 100644
--- a/net/netfilter/nft_meta.c
+++ b/net/netfilter/nft_meta.c
@@ -370,10 +370,6 @@ int nft_meta_set_init(const struct nft_ctx *ctx,
return -EOPNOTSUPP;
}
- err = nft_meta_set_validate(ctx, expr, NULL);
- if (err < 0)
- return err;
-
priv->sreg = nft_parse_register(tb[NFTA_META_SREG]);
err = nft_validate_register_load(priv->sreg, len);
if (err < 0)
diff --git a/net/netfilter/nft_nat.c b/net/netfilter/nft_nat.c
index 19a7bf3236f9..26a74dfb3b7a 100644
--- a/net/netfilter/nft_nat.c
+++ b/net/netfilter/nft_nat.c
@@ -138,10 +138,6 @@ static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
return -EINVAL;
}
- err = nft_nat_validate(ctx, expr, NULL);
- if (err < 0)
- return err;
-
if (tb[NFTA_NAT_FAMILY] == NULL)
return -EINVAL;
diff --git a/net/netfilter/nft_redir.c b/net/netfilter/nft_redir.c
index 40dcd05146d5..1e66538bf0ff 100644
--- a/net/netfilter/nft_redir.c
+++ b/net/netfilter/nft_redir.c
@@ -47,10 +47,6 @@ int nft_redir_init(const struct nft_ctx *ctx,
unsigned int plen;
int err;
- err = nft_redir_validate(ctx, expr, NULL);
- if (err < 0)
- return err;
-
plen = FIELD_SIZEOF(struct nf_nat_range, min_addr.all);
if (tb[NFTA_REDIR_REG_PROTO_MIN]) {
priv->sreg_proto_min =
diff --git a/net/netfilter/nft_reject.c b/net/netfilter/nft_reject.c
index c64de3f7379d..29f5bd2377b0 100644
--- a/net/netfilter/nft_reject.c
+++ b/net/netfilter/nft_reject.c
@@ -42,11 +42,6 @@ int nft_reject_init(const struct nft_ctx *ctx,
const struct nlattr * const tb[])
{
struct nft_reject *priv = nft_expr_priv(expr);
- int err;
-
- err = nft_reject_validate(ctx, expr, NULL);
- if (err < 0)
- return err;
if (tb[NFTA_REJECT_TYPE] == NULL)
return -EINVAL;
diff --git a/net/netfilter/nft_reject_inet.c b/net/netfilter/nft_reject_inet.c
index 9e90a02cb104..5a7fb5ff867d 100644
--- a/net/netfilter/nft_reject_inet.c
+++ b/net/netfilter/nft_reject_inet.c
@@ -66,11 +66,7 @@ static int nft_reject_inet_init(const struct nft_ctx *ctx,
const struct nlattr * const tb[])
{
struct nft_reject *priv = nft_expr_priv(expr);
- int icmp_code, err;
-
- err = nft_reject_validate(ctx, expr, NULL);
- if (err < 0)
- return err;
+ int icmp_code;
if (tb[NFTA_REJECT_TYPE] == NULL)
return -EINVAL;
--
2.1.4
next prev parent reply other threads:[~2017-03-20 10:08 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-20 10:08 [PATCH 00/22] Netfilter/IPVS updates for net-next Pablo Neira Ayuso
2017-03-20 10:08 ` [PATCH 01/22] netfilter: nft_exthdr: Allow checking TCP option presence, too Pablo Neira Ayuso
2017-03-20 10:08 ` [PATCH 02/22] netfilter: nft_hash: rename nft_hash to nft_jhash Pablo Neira Ayuso
2017-03-20 10:08 ` [PATCH 03/22] netfilter: nft_hash: support of symmetric hash Pablo Neira Ayuso
2017-03-20 10:08 ` [PATCH 04/22] netfilter: Use pr_cont where appropriate Pablo Neira Ayuso
2017-03-20 10:08 ` [PATCH 05/22] netfilter: arp_tables: remove redundant check on ret being non-zero Pablo Neira Ayuso
2017-03-20 10:08 ` Pablo Neira Ayuso [this message]
2017-03-20 10:08 ` [PATCH 07/22] netfilter: nf_tables: add nft_set_lookup() Pablo Neira Ayuso
2017-03-20 10:08 ` [PATCH 08/22] netfilter: bridge: remove unneeded rcu_read_lock Pablo Neira Ayuso
2017-03-20 10:08 ` [PATCH 09/22] netfilter: nf_reject: remove unused variable Pablo Neira Ayuso
2017-03-20 10:08 ` [PATCH 10/22] netfilter: provide nft_ctx in object init function Pablo Neira Ayuso
2017-03-20 10:08 ` [PATCH 11/22] netfilter: nft_ct: add helper set support Pablo Neira Ayuso
2017-03-20 10:08 ` [PATCH 12/22] netfilter: nft_fib: Support existence check Pablo Neira Ayuso
2017-03-20 10:08 ` [PATCH 13/22] netfilter: nf_conntrack: reduce resolve_normal_ct args Pablo Neira Ayuso
2017-03-20 10:08 ` [PATCH 14/22] netfilter: limit: use per-rule spinlock to improve the scalability Pablo Neira Ayuso
2017-03-20 10:08 ` [PATCH 15/22] netfilter: nft_set_rbtree: use per-set rwlock " Pablo Neira Ayuso
2017-03-20 10:08 ` [PATCH 16/22] ipvs: remove an annoying printk in netns init Pablo Neira Ayuso
2017-03-20 10:08 ` [PATCH 17/22] ipvs: fix sync_threshold description and add sync_refresh_period, sync_retries Pablo Neira Ayuso
2017-03-20 10:08 ` [PATCH 18/22] ipvs: Document sysctl sync_qlen_max and sync_sock_size Pablo Neira Ayuso
2017-03-20 10:08 ` [PATCH 19/22] ipvs: Document sysctl sync_ports Pablo Neira Ayuso
2017-03-20 10:08 ` [PATCH 20/22] ipvs: Document sysctl pmtu_disc Pablo Neira Ayuso
2017-03-20 10:08 ` [PATCH 21/22] netfilter: refcounter conversions Pablo Neira Ayuso
2017-03-20 10:08 ` [PATCH 22/22] netfilter: fix the warning on unused refcount variable Pablo Neira Ayuso
2017-03-21 21:34 ` [PATCH 00/22] Netfilter/IPVS updates for net-next David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1490004530-9128-7-git-send-email-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).