mirror of
https://github.com/edk2-porting/linux-next.git
synced 2024-12-20 11:13:58 +08:00
netfilter: nf_tables: consolidate set description
Add the following fields to the set description: - key type - data type - object type - policy - gc_int: garbage collection interval) - timeout: element timeout This prepares for stricter set type checks on updates in a follow up patch. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
Pablo Neira Ayuso
parent
5eb119da94
commit
bed4a63ea4
@ -312,17 +312,29 @@ struct nft_set_iter {
|
|||||||
/**
|
/**
|
||||||
* struct nft_set_desc - description of set elements
|
* struct nft_set_desc - description of set elements
|
||||||
*
|
*
|
||||||
|
* @ktype: key type
|
||||||
* @klen: key length
|
* @klen: key length
|
||||||
|
* @dtype: data type
|
||||||
* @dlen: data length
|
* @dlen: data length
|
||||||
|
* @objtype: object type
|
||||||
|
* @flags: flags
|
||||||
* @size: number of set elements
|
* @size: number of set elements
|
||||||
|
* @policy: set policy
|
||||||
|
* @gc_int: garbage collector interval
|
||||||
* @field_len: length of each field in concatenation, bytes
|
* @field_len: length of each field in concatenation, bytes
|
||||||
* @field_count: number of concatenated fields in element
|
* @field_count: number of concatenated fields in element
|
||||||
* @expr: set must support for expressions
|
* @expr: set must support for expressions
|
||||||
*/
|
*/
|
||||||
struct nft_set_desc {
|
struct nft_set_desc {
|
||||||
|
u32 ktype;
|
||||||
unsigned int klen;
|
unsigned int klen;
|
||||||
|
u32 dtype;
|
||||||
unsigned int dlen;
|
unsigned int dlen;
|
||||||
|
u32 objtype;
|
||||||
unsigned int size;
|
unsigned int size;
|
||||||
|
u32 policy;
|
||||||
|
u32 gc_int;
|
||||||
|
u64 timeout;
|
||||||
u8 field_len[NFT_REG32_COUNT];
|
u8 field_len[NFT_REG32_COUNT];
|
||||||
u8 field_count;
|
u8 field_count;
|
||||||
bool expr;
|
bool expr;
|
||||||
|
|||||||
@ -3780,8 +3780,7 @@ static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
|
|||||||
static const struct nft_set_ops *
|
static const struct nft_set_ops *
|
||||||
nft_select_set_ops(const struct nft_ctx *ctx,
|
nft_select_set_ops(const struct nft_ctx *ctx,
|
||||||
const struct nlattr * const nla[],
|
const struct nlattr * const nla[],
|
||||||
const struct nft_set_desc *desc,
|
const struct nft_set_desc *desc)
|
||||||
enum nft_set_policies policy)
|
|
||||||
{
|
{
|
||||||
struct nftables_pernet *nft_net = nft_pernet(ctx->net);
|
struct nftables_pernet *nft_net = nft_pernet(ctx->net);
|
||||||
const struct nft_set_ops *ops, *bops;
|
const struct nft_set_ops *ops, *bops;
|
||||||
@ -3810,7 +3809,7 @@ nft_select_set_ops(const struct nft_ctx *ctx,
|
|||||||
if (!ops->estimate(desc, flags, &est))
|
if (!ops->estimate(desc, flags, &est))
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
switch (policy) {
|
switch (desc->policy) {
|
||||||
case NFT_SET_POL_PERFORMANCE:
|
case NFT_SET_POL_PERFORMANCE:
|
||||||
if (est.lookup < best.lookup)
|
if (est.lookup < best.lookup)
|
||||||
break;
|
break;
|
||||||
@ -4392,7 +4391,6 @@ static int nf_tables_set_desc_parse(struct nft_set_desc *desc,
|
|||||||
static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
|
static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
|
||||||
const struct nlattr * const nla[])
|
const struct nlattr * const nla[])
|
||||||
{
|
{
|
||||||
u32 ktype, dtype, flags, policy, gc_int, objtype;
|
|
||||||
struct netlink_ext_ack *extack = info->extack;
|
struct netlink_ext_ack *extack = info->extack;
|
||||||
u8 genmask = nft_genmask_next(info->net);
|
u8 genmask = nft_genmask_next(info->net);
|
||||||
u8 family = info->nfmsg->nfgen_family;
|
u8 family = info->nfmsg->nfgen_family;
|
||||||
@ -4405,10 +4403,10 @@ static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
|
|||||||
struct nft_set *set;
|
struct nft_set *set;
|
||||||
struct nft_ctx ctx;
|
struct nft_ctx ctx;
|
||||||
size_t alloc_size;
|
size_t alloc_size;
|
||||||
u64 timeout;
|
|
||||||
char *name;
|
char *name;
|
||||||
int err, i;
|
int err, i;
|
||||||
u16 udlen;
|
u16 udlen;
|
||||||
|
u32 flags;
|
||||||
u64 size;
|
u64 size;
|
||||||
|
|
||||||
if (nla[NFTA_SET_TABLE] == NULL ||
|
if (nla[NFTA_SET_TABLE] == NULL ||
|
||||||
@ -4419,10 +4417,10 @@ static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
|
|||||||
|
|
||||||
memset(&desc, 0, sizeof(desc));
|
memset(&desc, 0, sizeof(desc));
|
||||||
|
|
||||||
ktype = NFT_DATA_VALUE;
|
desc.ktype = NFT_DATA_VALUE;
|
||||||
if (nla[NFTA_SET_KEY_TYPE] != NULL) {
|
if (nla[NFTA_SET_KEY_TYPE] != NULL) {
|
||||||
ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
|
desc.ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
|
||||||
if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
|
if ((desc.ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -4447,17 +4445,17 @@ static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
|
|||||||
return -EOPNOTSUPP;
|
return -EOPNOTSUPP;
|
||||||
}
|
}
|
||||||
|
|
||||||
dtype = 0;
|
desc.dtype = 0;
|
||||||
if (nla[NFTA_SET_DATA_TYPE] != NULL) {
|
if (nla[NFTA_SET_DATA_TYPE] != NULL) {
|
||||||
if (!(flags & NFT_SET_MAP))
|
if (!(flags & NFT_SET_MAP))
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
|
|
||||||
dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
|
desc.dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
|
||||||
if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
|
if ((desc.dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
|
||||||
dtype != NFT_DATA_VERDICT)
|
desc.dtype != NFT_DATA_VERDICT)
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
|
|
||||||
if (dtype != NFT_DATA_VERDICT) {
|
if (desc.dtype != NFT_DATA_VERDICT) {
|
||||||
if (nla[NFTA_SET_DATA_LEN] == NULL)
|
if (nla[NFTA_SET_DATA_LEN] == NULL)
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
|
desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
|
||||||
@ -4472,34 +4470,34 @@ static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
|
|||||||
if (!(flags & NFT_SET_OBJECT))
|
if (!(flags & NFT_SET_OBJECT))
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
|
|
||||||
objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
|
desc.objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
|
||||||
if (objtype == NFT_OBJECT_UNSPEC ||
|
if (desc.objtype == NFT_OBJECT_UNSPEC ||
|
||||||
objtype > NFT_OBJECT_MAX)
|
desc.objtype > NFT_OBJECT_MAX)
|
||||||
return -EOPNOTSUPP;
|
return -EOPNOTSUPP;
|
||||||
} else if (flags & NFT_SET_OBJECT)
|
} else if (flags & NFT_SET_OBJECT)
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
else
|
else
|
||||||
objtype = NFT_OBJECT_UNSPEC;
|
desc.objtype = NFT_OBJECT_UNSPEC;
|
||||||
|
|
||||||
timeout = 0;
|
desc.timeout = 0;
|
||||||
if (nla[NFTA_SET_TIMEOUT] != NULL) {
|
if (nla[NFTA_SET_TIMEOUT] != NULL) {
|
||||||
if (!(flags & NFT_SET_TIMEOUT))
|
if (!(flags & NFT_SET_TIMEOUT))
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
|
|
||||||
err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &timeout);
|
err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &desc.timeout);
|
||||||
if (err)
|
if (err)
|
||||||
return err;
|
return err;
|
||||||
}
|
}
|
||||||
gc_int = 0;
|
desc.gc_int = 0;
|
||||||
if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
|
if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
|
||||||
if (!(flags & NFT_SET_TIMEOUT))
|
if (!(flags & NFT_SET_TIMEOUT))
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
|
desc.gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
|
||||||
}
|
}
|
||||||
|
|
||||||
policy = NFT_SET_POL_PERFORMANCE;
|
desc.policy = NFT_SET_POL_PERFORMANCE;
|
||||||
if (nla[NFTA_SET_POLICY] != NULL)
|
if (nla[NFTA_SET_POLICY] != NULL)
|
||||||
policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
|
desc.policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
|
||||||
|
|
||||||
if (nla[NFTA_SET_DESC] != NULL) {
|
if (nla[NFTA_SET_DESC] != NULL) {
|
||||||
err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]);
|
err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]);
|
||||||
@ -4544,7 +4542,7 @@ static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
|
|||||||
if (!(info->nlh->nlmsg_flags & NLM_F_CREATE))
|
if (!(info->nlh->nlmsg_flags & NLM_F_CREATE))
|
||||||
return -ENOENT;
|
return -ENOENT;
|
||||||
|
|
||||||
ops = nft_select_set_ops(&ctx, nla, &desc, policy);
|
ops = nft_select_set_ops(&ctx, nla, &desc);
|
||||||
if (IS_ERR(ops))
|
if (IS_ERR(ops))
|
||||||
return PTR_ERR(ops);
|
return PTR_ERR(ops);
|
||||||
|
|
||||||
@ -4584,18 +4582,18 @@ static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
|
|||||||
set->table = table;
|
set->table = table;
|
||||||
write_pnet(&set->net, net);
|
write_pnet(&set->net, net);
|
||||||
set->ops = ops;
|
set->ops = ops;
|
||||||
set->ktype = ktype;
|
set->ktype = desc.ktype;
|
||||||
set->klen = desc.klen;
|
set->klen = desc.klen;
|
||||||
set->dtype = dtype;
|
set->dtype = desc.dtype;
|
||||||
set->objtype = objtype;
|
set->objtype = desc.objtype;
|
||||||
set->dlen = desc.dlen;
|
set->dlen = desc.dlen;
|
||||||
set->flags = flags;
|
set->flags = flags;
|
||||||
set->size = desc.size;
|
set->size = desc.size;
|
||||||
set->policy = policy;
|
set->policy = desc.policy;
|
||||||
set->udlen = udlen;
|
set->udlen = udlen;
|
||||||
set->udata = udata;
|
set->udata = udata;
|
||||||
set->timeout = timeout;
|
set->timeout = desc.timeout;
|
||||||
set->gc_int = gc_int;
|
set->gc_int = desc.gc_int;
|
||||||
|
|
||||||
set->field_count = desc.field_count;
|
set->field_count = desc.field_count;
|
||||||
for (i = 0; i < desc.field_count; i++)
|
for (i = 0; i < desc.field_count; i++)
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user