netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Eric Leblond <eric@regit.org>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH] netfilter: nf_tables: add insert operation
Date: Sun, 7 Jul 2013 23:56:44 +0200	[thread overview]
Message-ID: <20130707215644.GA31231@localhost> (raw)
In-Reply-To: <1373124677-6626-2-git-send-email-eric@regit.org>

Hi Eric,

Thanks for this new round, some comments below:

On Sat, Jul 06, 2013 at 05:31:17PM +0200, Eric Leblond wrote:
> This patch adds a new rule attribute NFTA_RULE_POSITION which is
> used to store the position of a rule relatively to the others.
> By providing a create command and specifying a position, the rule is
> inserted after the rule with the handle equal to the provided
> position.
> Regarding notification, the position attribute is added to specify
> the handle of the previous rule in append mode and the handle of
> the next rule in the other case.
> 
> Signed-off-by: Eric Leblond <eric@regit.org>
> ---
>  include/uapi/linux/netfilter/nf_tables.h |  1 +
>  net/netfilter/nf_tables_api.c            | 47 +++++++++++++++++++++++++++++---
>  2 files changed, 44 insertions(+), 4 deletions(-)
> 
> diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
> index d40a7f9..d9bf8ea 100644
> --- a/include/uapi/linux/netfilter/nf_tables.h
> +++ b/include/uapi/linux/netfilter/nf_tables.h
> @@ -143,6 +143,7 @@ enum nft_rule_attributes {
>  	NFTA_RULE_EXPRESSIONS,
>  	NFTA_RULE_FLAGS,
>  	NFTA_RULE_COMPAT,
> +	NFTA_RULE_POSITION,
>  	__NFTA_RULE_MAX
>  };
>  #define NFTA_RULE_MAX		(__NFTA_RULE_MAX - 1)
> diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
> index b00aca8..ce8a4f0 100644
> --- a/net/netfilter/nf_tables_api.c
> +++ b/net/netfilter/nf_tables_api.c
> @@ -1267,6 +1267,7 @@ static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
>  	[NFTA_RULE_EXPRESSIONS]	= { .type = NLA_NESTED },
>  	[NFTA_RULE_FLAGS]	= { .type = NLA_U32 },
>  	[NFTA_RULE_COMPAT]	= { .type = NLA_NESTED },
> +	[NFTA_RULE_POSITION]	= { .type = NLA_U64 },
>  };
>  
>  static int nf_tables_fill_rule_info(struct sk_buff *skb, u32 portid, u32 seq,
> @@ -1279,6 +1280,7 @@ static int nf_tables_fill_rule_info(struct sk_buff *skb, u32 portid, u32 seq,
>  	struct nfgenmsg *nfmsg;
>  	const struct nft_expr *expr, *next;
>  	struct nlattr *list;
> +	const struct nft_rule *prule;
>  
>  	event |= NFNL_SUBSYS_NFTABLES << 8;
>  	nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
> @@ -1298,6 +1300,26 @@ static int nf_tables_fill_rule_info(struct sk_buff *skb, u32 portid, u32 seq,
>  	if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle)))
>  		goto nla_put_failure;
>  
> +	if (event & NLM_F_APPEND) {

This should be if (flags & NLM_F_APPEND)

> +		if ((rule->list.prev != LIST_POISON2) &&

You can use event instead to catch the deletion case:

if (event != NFT_MSG_DELRULE)

> +		    (rule->list.prev != &chain->rules)) {
> +			prule = list_entry(rule->list.prev,
> +					   struct nft_rule, list);
> +			if (nla_put_be64(skb, NFTA_RULE_POSITION,
> +					 cpu_to_be64(prule->handle)))
> +				goto nla_put_failure;
> +		}
> +	} else {
> +		if ((rule->list.next != LIST_POISON1) &&
> +		    (rule->list.next != &chain->rules)) {

You can use list_is_last instead of rule->list.next != &chain->rules.

Unfortunately, there is no list_is_first, but we could ask for
mainstream inclusion later on.

> +			prule = list_entry(rule->list.next,
> +					   struct nft_rule, list);
> +			if (nla_put_be64(skb, NFTA_RULE_POSITION,
> +					 cpu_to_be64(prule->handle)))
> +				goto nla_put_failure;
> +		}
> +	}
> +
>  	list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
>  	if (list == NULL)
>  		goto nla_put_failure;
> @@ -1537,7 +1559,7 @@ static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
>  	int err, rem;
>  	bool create;
>  	u32 flags = 0;
> -	u64 handle;
> +	u64 handle, pos_handle;
>  
>  	create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
>  
> @@ -1571,6 +1593,16 @@ static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
>  		handle = nf_tables_alloc_handle(table);
>  	}
>  
> +	if (nla[NFTA_RULE_POSITION]) {
> +		pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
> +		old_rule = __nf_tables_rule_lookup(chain, pos_handle);
> +		if (IS_ERR(old_rule))
> +			return PTR_ERR(old_rule);
> +
> +		if (! (nlh->nlmsg_flags & NLM_F_CREATE))
> +			return -EOPNOTSUPP;

Better this checking before the rule lookup.

> +	}
> +
>  	nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
>  
>  	n = 0;
> @@ -1625,9 +1657,16 @@ static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
>  			nf_tables_rule_destroy(old_rule);
>  		}
>  	} else if (nlh->nlmsg_flags & NLM_F_APPEND)
> -		list_add_tail_rcu(&rule->list, &chain->rules);
> -	else
> -		list_add_rcu(&rule->list, &chain->rules);
> +		if (old_rule)
> +			list_add_rcu(&rule->list, &old_rule->list);
> +		else
> +			list_add_tail_rcu(&rule->list, &chain->rules);
> +	else {
> +		if (old_rule)
> +			list_add_tail_rcu(&rule->list, &old_rule->list);
> +		else
> +			list_add_rcu(&rule->list, &chain->rules);
> +	}
>  
>  	if (flags & NFT_RULE_F_COMMIT)
>  		list_add(&rule->dirty_list, &chain->dirty_rules);
> -- 
> 1.8.3.2
> 

  reply	other threads:[~2013-07-07 21:56 UTC|newest]

Thread overview: 40+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-06-19  8:03 [RFC PATCH 0/1] add insert after to nf_tables Eric Leblond
2013-06-19  8:03 ` [PATCH] netfilter: nf_tables: add insert operation Eric Leblond
2013-06-19  8:04 ` [libnftables PATCH] examples: add insert rule example Eric Leblond
2013-06-19  9:47 ` [RFC PATCH 0/1] add insert after to nf_tables Tomasz Bursztyka
2013-06-20  9:42   ` Pablo Neira Ayuso
2013-06-20  9:52     ` Tomasz Bursztyka
2013-06-20 10:10       ` Pablo Neira Ayuso
2013-06-20 10:36         ` Tomasz Bursztyka
2013-06-20 10:46           ` Patrick McHardy
2013-06-20 10:59             ` Tomasz Bursztyka
2013-06-20 12:17             ` Eric Leblond
2013-06-28 21:05               ` [RFC PATCHv2] netfilter: nf_tables: add insert operation Eric Leblond
2013-06-29 10:24                 ` Pablo Neira Ayuso
2013-07-06 15:31                   ` [PATCHv3 nftables insert operation] Eric Leblond
2013-07-06 15:31                     ` [PATCH] netfilter: nf_tables: add insert operation Eric Leblond
2013-07-07 21:56                       ` Pablo Neira Ayuso [this message]
2013-07-08 22:56                         ` [PATCHv4 nftables insert operation 0/1] Eric Leblond
2013-07-08 22:56                           ` [PATCHv4] netfilter: nf_tables: add insert operation Eric Leblond
2013-07-15 10:48                             ` Pablo Neira Ayuso
2013-07-15 17:27                               ` Eric Leblond
2013-07-15 23:57                                 ` Pablo Neira Ayuso
2013-07-16  7:35                                   ` Eric Leblond
2013-07-16 10:00                                     ` Pablo Neira Ayuso
2013-07-16 10:07                                       ` Eric Leblond
2013-07-19  7:45                                         ` [PATCHv5] " Eric Leblond
2013-07-19 12:49                                           ` Pablo Neira Ayuso
2013-07-08 23:00                           ` [nftables PATCH] rule: honor flag argument during rule creation Eric Leblond
2013-07-06 15:33                     ` [libnftables PATCH 1/4] rule: add support for position attribute Eric Leblond
2013-07-06 15:33                       ` [libnftables PATCH 2/4] examples: add insert rule example Eric Leblond
2013-07-19 12:31                         ` Pablo Neira Ayuso
2013-07-06 15:33                       ` [libnftables PATCH 3/4] rule: display position in default printf Eric Leblond
2013-07-19 12:32                         ` Pablo Neira Ayuso
2013-07-06 15:33                       ` [libnftables PATCH 4/4] rule: change type of function to use const Eric Leblond
2013-07-19 12:32                         ` Pablo Neira Ayuso
2013-07-19 12:31                       ` [libnftables PATCH 1/4] rule: add support for position attribute Pablo Neira Ayuso
2013-07-06 15:33                     ` [nftables PATCH] Add support for insertion inside rule list Eric Leblond
2013-07-19 12:28                       ` Pablo Neira Ayuso
2013-07-19 14:31                         ` Eric Leblond
2013-07-19 15:50                           ` Pablo Neira Ayuso
2013-07-01  7:01                 ` [RFC PATCHv2] netfilter: nf_tables: add insert operation Tomasz Bursztyka

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20130707215644.GA31231@localhost \
    --to=pablo@netfilter.org \
    --cc=eric@regit.org \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).