From: Phil Sutter <phil@nwl.cc>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org, Florian Westphal <fw@strlen.de>,
Eric Garver <e@erig.me>
Subject: [nf-next PATCH v4 07/16] netfilter: nf_tables: Introduce nft_hook_find_ops()
Date: Fri, 20 Sep 2024 22:23:38 +0200 [thread overview]
Message-ID: <20240920202347.28616-8-phil@nwl.cc> (raw)
In-Reply-To: <20240920202347.28616-1-phil@nwl.cc>
Also a pretty dull wrapper around the hook->ops.dev comparison for now.
Will search the embedded nf_hook_ops list in future. The ugly cast to
eliminate the const qualifier will vanish then, too.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
include/net/netfilter/nf_tables.h | 3 +++
net/netfilter/nf_tables_api.c | 14 +++++++++++++-
net/netfilter/nf_tables_offload.c | 2 +-
net/netfilter/nft_chain_filter.c | 6 ++++--
net/netfilter/nft_flow_offload.c | 2 +-
5 files changed, 22 insertions(+), 5 deletions(-)
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 6aa39c4a8c3c..37d1110ccfd9 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -1196,6 +1196,9 @@ struct nft_hook {
u8 ifnamelen;
};
+struct nf_hook_ops *nft_hook_find_ops(const struct nft_hook *hook,
+ const struct net_device *dev);
+
/**
* struct nft_base_chain - nf_tables base chain
*
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index a0482c7fc659..8326395c5752 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -9253,13 +9253,25 @@ static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
return -EMSGSIZE;
}
+struct nf_hook_ops *nft_hook_find_ops(const struct nft_hook *hook,
+ const struct net_device *dev)
+{
+ if (hook->ops.dev == dev)
+ return (struct nf_hook_ops *)&hook->ops;
+
+ return NULL;
+}
+EXPORT_SYMBOL_GPL(nft_hook_find_ops);
+
static void nft_flowtable_event(unsigned long event, struct net_device *dev,
struct nft_flowtable *flowtable)
{
+ struct nf_hook_ops *ops;
struct nft_hook *hook;
list_for_each_entry(hook, &flowtable->hook_list, list) {
- if (hook->ops.dev != dev)
+ ops = nft_hook_find_ops(hook, dev);
+ if (!ops)
continue;
/* flow_offload_netdev_event() cleans up entries for us. */
diff --git a/net/netfilter/nf_tables_offload.c b/net/netfilter/nf_tables_offload.c
index 64675f1c7f29..75b756f0b9f0 100644
--- a/net/netfilter/nf_tables_offload.c
+++ b/net/netfilter/nf_tables_offload.c
@@ -638,7 +638,7 @@ static struct nft_chain *__nft_offload_get_chain(const struct nftables_pernet *n
found = NULL;
basechain = nft_base_chain(chain);
list_for_each_entry(hook, &basechain->hook_list, list) {
- if (hook->ops.dev != dev)
+ if (!nft_hook_find_ops(hook, dev))
continue;
found = hook;
diff --git a/net/netfilter/nft_chain_filter.c b/net/netfilter/nft_chain_filter.c
index 543f258b7c6b..d34c6fe7ba72 100644
--- a/net/netfilter/nft_chain_filter.c
+++ b/net/netfilter/nft_chain_filter.c
@@ -322,14 +322,16 @@ static void nft_netdev_event(unsigned long event, struct net_device *dev,
struct nft_ctx *ctx)
{
struct nft_base_chain *basechain = nft_base_chain(ctx->chain);
+ struct nf_hook_ops *ops;
struct nft_hook *hook;
list_for_each_entry(hook, &basechain->hook_list, list) {
- if (hook->ops.dev != dev)
+ ops = nft_hook_find_ops(hook, dev);
+ if (!ops)
continue;
if (!(ctx->chain->table->flags & NFT_TABLE_F_DORMANT))
- nf_unregister_net_hook(ctx->net, &hook->ops);
+ nf_unregister_net_hook(ctx->net, ops);
list_del_rcu(&hook->list);
kfree_rcu(hook, rcu);
diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c
index 2f732fae5a83..83415d7aadda 100644
--- a/net/netfilter/nft_flow_offload.c
+++ b/net/netfilter/nft_flow_offload.c
@@ -175,7 +175,7 @@ static bool nft_flowtable_find_dev(const struct net_device *dev,
bool found = false;
list_for_each_entry_rcu(hook, &ft->hook_list, list) {
- if (hook->ops.dev != dev)
+ if (!nft_hook_find_ops(hook, dev))
continue;
found = true;
--
2.43.0
next prev parent reply other threads:[~2024-09-20 20:24 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-20 20:23 [nf-next PATCH v4 00/16] Dynamic hook interface binding Phil Sutter
2024-09-20 20:23 ` [nf-next PATCH v4 01/16] netfilter: nf_tables: Flowtable hook's pf value never varies Phil Sutter
2024-09-20 20:23 ` [nf-next PATCH v4 02/16] netfilter: nf_tables: Store user-defined hook ifname Phil Sutter
2024-09-20 20:23 ` [nf-next PATCH v4 03/16] netfilter: nf_tables: Use stored ifname in netdev hook dumps Phil Sutter
2024-09-20 20:23 ` [nf-next PATCH v4 04/16] netfilter: nf_tables: Compare netdev hooks based on stored name Phil Sutter
2024-09-20 20:23 ` [nf-next PATCH v4 05/16] netfilter: nf_tables: Tolerate chains with no remaining hooks Phil Sutter
2024-09-20 20:23 ` [nf-next PATCH v4 06/16] netfilter: nf_tables: Introduce functions freeing nft_hook objects Phil Sutter
2024-09-20 20:23 ` Phil Sutter [this message]
2024-09-20 20:23 ` [nf-next PATCH v4 08/16] netfilter: nf_tables: Introduce nft_register_flowtable_ops() Phil Sutter
2024-09-20 20:23 ` [nf-next PATCH v4 09/16] netfilter: nf_tables: Drop __nft_unregister_flowtable_net_hooks() Phil Sutter
2024-09-20 20:23 ` [nf-next PATCH v4 10/16] netfilter: nf_tables: Have a list of nf_hook_ops in nft_hook Phil Sutter
2024-09-20 20:23 ` [nf-next PATCH v4 11/16] netfilter: nf_tables: chain: Respect NETDEV_REGISTER events Phil Sutter
2024-09-20 20:23 ` [nf-next PATCH v4 12/16] netfilter: nf_tables: flowtable: " Phil Sutter
2024-09-20 20:23 ` [nf-next PATCH v4 13/16] netfilter: nf_tables: Handle NETDEV_CHANGENAME events Phil Sutter
2024-09-22 7:32 ` Florian Westphal
2024-09-22 10:48 ` Phil Sutter
2024-09-20 20:23 ` [nf-next PATCH v4 14/16] netfilter: nf_tables: Support wildcard netdev hook specs Phil Sutter
2024-09-20 20:23 ` [nf-next PATCH v4 15/16] netfilter: nf_tables: Add notications for hook changes Phil Sutter
2024-09-21 9:10 ` Florian Westphal
2024-09-25 17:25 ` Phil Sutter
2024-09-25 17:51 ` Florian Westphal
2024-09-25 18:16 ` Phil Sutter
2024-09-25 18:17 ` Florian Westphal
2024-09-20 20:23 ` [nf-next PATCH v4 16/16] selftests: netfilter: Torture nftables netdev hooks Phil Sutter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240920202347.28616-8-phil@nwl.cc \
--to=phil@nwl.cc \
--cc=e@erig.me \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).