From: Shmulik Ladkani <shmulik@nsof.io>
To: netfilter-devel@vger.kernel.org, Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Willem de Bruijn <willemb@google.com>,
rbk@nsof.io, shmulik@nsof.io, Rafael Buchbinder <rafi@rbk.ms>
Subject: [PATCH v2 1/2] iptables: support match info fixup after tc_init
Date: Sun, 17 Sep 2017 14:20:30 +0300 [thread overview]
Message-ID: <20170917112031.8644-2-shmulik@nsof.io> (raw)
In-Reply-To: <20170917112031.8644-1-shmulik@nsof.io>
From: Rafael Buchbinder <rafi@rbk.ms>
From: Rafael Buchbinder <rafi@rbk.ms>
This commit introduces a framework to fixup match info,
which may be required by an extension.
Signed-off-by: Rafael Buchbinder <rafi@rbk.ms>
Signed-off-by: Shmulik Ladkani <shmulik@nsof.io>
---
include/xtables.h | 3 +++
iptables/ip6tables.c | 35 +++++++++++++++++++++++++++++++++++
iptables/iptables.c | 34 ++++++++++++++++++++++++++++++++++
3 files changed, 72 insertions(+)
diff --git a/include/xtables.h b/include/xtables.h
index e9bc3b7d..687cfe9f 100644
--- a/include/xtables.h
+++ b/include/xtables.h
@@ -273,6 +273,9 @@ struct xtables_match {
/* ip is struct ipt_ip * for example */
void (*save)(const void *ip, const struct xt_entry_match *match);
+ /* Fixes the match info after init. */
+ void (*tc_init_fixup)(struct xt_entry_match *match);
+
/* Print match name or alias */
const char *(*alias)(const struct xt_entry_match *match);
diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index 49bd006f..0a6afa77 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -925,6 +925,39 @@ delete_chain6(const xt_chainlabel chain, int verbose,
return ip6tc_delete_chain(chain, handle);
}
+
+static int
+tc_init_fixup_match(struct xt_entry_match *m)
+{
+ const struct xtables_match *match =
+ xtables_find_match(m->u.user.name, XTF_TRY_LOAD, NULL);
+
+ if (match) {
+ if (match->tc_init_fixup && m->u.user.revision == match->revision)
+ match->tc_init_fixup(m);
+ }
+
+ /* Don't stop iterating. */
+ return 0;
+}
+
+static void
+tc_init_fixup(struct xtc_handle *handle)
+{
+ const char *chain;
+
+ for (chain = ip6tc_first_chain(handle);
+ chain;
+ chain = ip6tc_next_chain(handle)) {
+ const struct ip6t_entry *entry = ip6tc_first_rule(chain, handle);
+
+ while (entry) {
+ IP6T_MATCH_ITERATE(entry, tc_init_fixup_match);
+ entry = ip6tc_next_rule(entry, handle);
+ }
+ }
+}
+
static int
list_entries(const xt_chainlabel chain, int rulenum, int verbose, int numeric,
int expanded, int linenumbers, struct xtc_handle *handle)
@@ -1795,6 +1828,8 @@ int do_command6(int argc, char *argv[], char **table,
"can't initialize ip6tables table `%s': %s",
*table, ip6tc_strerror(errno));
+ tc_init_fixup(*handle);
+
if (command == CMD_APPEND
|| command == CMD_DELETE
|| command == CMD_CHECK
diff --git a/iptables/iptables.c b/iptables/iptables.c
index 69d19fec..f220a8e4 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -909,6 +909,38 @@ delete_chain4(const xt_chainlabel chain, int verbose,
return iptc_delete_chain(chain, handle);
}
+static int
+tc_init_fixup_match(struct xt_entry_match *m)
+{
+ const struct xtables_match *match =
+ xtables_find_match(m->u.user.name, XTF_TRY_LOAD, NULL);
+
+ if (match) {
+ if (match->tc_init_fixup && m->u.user.revision == match->revision)
+ match->tc_init_fixup(m);
+ }
+
+ /* Don't stop iterating. */
+ return 0;
+}
+
+static void
+tc_init_fixup(struct xtc_handle *handle)
+{
+ const char *chain;
+
+ for (chain = iptc_first_chain(handle);
+ chain;
+ chain = iptc_next_chain(handle)) {
+ const struct ipt_entry *entry = iptc_first_rule(chain, handle);
+
+ while (entry) {
+ IPT_MATCH_ITERATE(entry, tc_init_fixup_match);
+ entry = iptc_next_rule(entry, handle);
+ }
+ }
+}
+
static int
list_entries(const xt_chainlabel chain, int rulenum, int verbose, int numeric,
int expanded, int linenumbers, struct xtc_handle *handle)
@@ -1781,6 +1813,8 @@ int do_command4(int argc, char *argv[], char **table,
"can't initialize iptables table `%s': %s",
*table, iptc_strerror(errno));
+ tc_init_fixup(*handle);
+
if (command == CMD_APPEND
|| command == CMD_DELETE
|| command == CMD_CHECK
--
2.14.1
next prev parent reply other threads:[~2017-09-17 11:20 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-17 11:20 [PATCH v2 0/2] xt_bpf: fix handling of pinned objects Shmulik Ladkani
2017-09-17 11:20 ` Shmulik Ladkani [this message]
2017-09-18 16:28 ` [PATCH v2 1/2] iptables: support match info fixup after tc_init Pablo Neira Ayuso
2017-09-18 17:00 ` Shmulik Ladkani
2017-09-18 17:23 ` Pablo Neira Ayuso
2017-09-18 17:50 ` Willem de Bruijn
2017-09-18 17:54 ` Pablo Neira Ayuso
2017-10-04 14:33 ` Pablo Neira Ayuso
2017-10-04 14:38 ` Shmulik Ladkani
2017-09-18 18:04 ` Jan Engelhardt
2017-09-17 11:20 ` [PATCH v2 2/2] extensions: xt_bpf: get the pinned ebpf object when match is initialized Shmulik Ladkani
2017-09-18 16:22 ` Willem de Bruijn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170917112031.8644-2-shmulik@nsof.io \
--to=shmulik@nsof.io \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=rafi@rbk.ms \
--cc=rbk@nsof.io \
--cc=willemb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).