From: Florian Westphal <fw@strlen.de>
To: Phil Sutter <phil@nwl.cc>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>,
netfilter-devel@vger.kernel.org, Florian Westphal <fw@strlen.de>,
Eric Garver <e@erig.me>
Subject: Re: [nf-next PATCH v4 13/16] netfilter: nf_tables: Handle NETDEV_CHANGENAME events
Date: Sun, 22 Sep 2024 09:32:24 +0200 [thread overview]
Message-ID: <20240922073224.GA32587@breakpoint.cc> (raw)
In-Reply-To: <20240920202347.28616-14-phil@nwl.cc>
Phil Sutter <phil@nwl.cc> wrote:
> For the sake of simplicity, treat them like consecutive NETDEV_REGISTER
> and NETDEV_UNREGISTER events. If the new name matches a hook spec and
> registration fails, escalate the error and keep things as they are.
>
> Signed-off-by: Phil Sutter <phil@nwl.cc>
> ---
> Changes since v3:
> - Register first and handle errors to avoid having unregistered the
> device but registration fails.
> ---
> net/netfilter/nf_tables_api.c | 5 +++++
> net/netfilter/nft_chain_filter.c | 5 +++++
> 2 files changed, 10 insertions(+)
>
> diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
> index 2684990dd3dc..4d40c1905735 100644
> --- a/net/netfilter/nf_tables_api.c
> +++ b/net/netfilter/nf_tables_api.c
> @@ -9371,6 +9371,11 @@ static int nf_tables_flowtable_event(struct notifier_block *this,
> struct nft_table *table;
> struct net *net;
>
> + if (event == NETDEV_CHANGENAME) {
> + if (nf_tables_flowtable_event(this, NETDEV_REGISTER, ptr))
> + return NOTIFY_BAD;
> + event = NETDEV_UNREGISTER;
> + }
Consider flowtable that should claim devices "pv*".
You get CHANGENAME, device name is, say, pv5.
Device name is registered in nf_tables_flowtable_event().
Then, event is set to UNREGISTER.
AFAICS this may unreg the device again immediately, as unreg part
only compares device pointer and we can't be sure the device was
part of any flowtable when CHANGENAME was triggered.
So I think nf_tables_flowtable_event() must handle CHANGENAME
directly, first check if any flowtable holds the device at this time,
then check if we need to register it with a new name, and do unreg
only if it was previously part of any flowtable.
Same logic needed for netdev chains.
Does that make sense?
next prev parent reply other threads:[~2024-09-22 7:32 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-20 20:23 [nf-next PATCH v4 00/16] Dynamic hook interface binding Phil Sutter
2024-09-20 20:23 ` [nf-next PATCH v4 01/16] netfilter: nf_tables: Flowtable hook's pf value never varies Phil Sutter
2024-09-20 20:23 ` [nf-next PATCH v4 02/16] netfilter: nf_tables: Store user-defined hook ifname Phil Sutter
2024-09-20 20:23 ` [nf-next PATCH v4 03/16] netfilter: nf_tables: Use stored ifname in netdev hook dumps Phil Sutter
2024-09-20 20:23 ` [nf-next PATCH v4 04/16] netfilter: nf_tables: Compare netdev hooks based on stored name Phil Sutter
2024-09-20 20:23 ` [nf-next PATCH v4 05/16] netfilter: nf_tables: Tolerate chains with no remaining hooks Phil Sutter
2024-09-20 20:23 ` [nf-next PATCH v4 06/16] netfilter: nf_tables: Introduce functions freeing nft_hook objects Phil Sutter
2024-09-20 20:23 ` [nf-next PATCH v4 07/16] netfilter: nf_tables: Introduce nft_hook_find_ops() Phil Sutter
2024-09-20 20:23 ` [nf-next PATCH v4 08/16] netfilter: nf_tables: Introduce nft_register_flowtable_ops() Phil Sutter
2024-09-20 20:23 ` [nf-next PATCH v4 09/16] netfilter: nf_tables: Drop __nft_unregister_flowtable_net_hooks() Phil Sutter
2024-09-20 20:23 ` [nf-next PATCH v4 10/16] netfilter: nf_tables: Have a list of nf_hook_ops in nft_hook Phil Sutter
2024-09-20 20:23 ` [nf-next PATCH v4 11/16] netfilter: nf_tables: chain: Respect NETDEV_REGISTER events Phil Sutter
2024-09-20 20:23 ` [nf-next PATCH v4 12/16] netfilter: nf_tables: flowtable: " Phil Sutter
2024-09-20 20:23 ` [nf-next PATCH v4 13/16] netfilter: nf_tables: Handle NETDEV_CHANGENAME events Phil Sutter
2024-09-22 7:32 ` Florian Westphal [this message]
2024-09-22 10:48 ` Phil Sutter
2024-09-20 20:23 ` [nf-next PATCH v4 14/16] netfilter: nf_tables: Support wildcard netdev hook specs Phil Sutter
2024-09-20 20:23 ` [nf-next PATCH v4 15/16] netfilter: nf_tables: Add notications for hook changes Phil Sutter
2024-09-21 9:10 ` Florian Westphal
2024-09-25 17:25 ` Phil Sutter
2024-09-25 17:51 ` Florian Westphal
2024-09-25 18:16 ` Phil Sutter
2024-09-25 18:17 ` Florian Westphal
2024-09-20 20:23 ` [nf-next PATCH v4 16/16] selftests: netfilter: Torture nftables netdev hooks Phil Sutter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240922073224.GA32587@breakpoint.cc \
--to=fw@strlen.de \
--cc=e@erig.me \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=phil@nwl.cc \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).