* [PATCH 0/5 nf-next,v2] enhance stateful expression support
@ 2020-03-11 14:30 Pablo Neira Ayuso
2020-03-11 14:30 ` [PATCH 1/5] netfilter: nf_tables: add nft_set_elem_expr_alloc() Pablo Neira Ayuso
` (4 more replies)
0 siblings, 5 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2020-03-11 14:30 UTC (permalink / raw)
To: netfilter-devel
This patchset allows users to add and to restore stateful expressions
of set elements, e.g.
table ip test {
set test {
type ipv4_addr
size 65535
flags dynamic,timeout
timeout 30d
gc-interval 1d
elements = { 192.168.10.13 expires 19d23h52m27s576ms counter packets 51 bytes 17265 }
}
chain output {
type filter hook output priority 0;
update @test { ip saddr }
}
}
You can also add counters to elements from the control place, ie.
table ip test {
set test {
type ipv4_addr
size 65535
elements = { 192.168.2.1 counter packets 75 bytes 19043 }
}
chain output {
type filter hook output priority filter; policy accept;
ip daddr @test
}
}
v2: Missing patch to add nft_set_elem_expr_alloc() helper function.
Pablo Neira Ayuso (5):
netfilter: nf_tables: add nft_set_elem_expr_alloc()
netfilter: nf_tables: remove EXPORT_SYMBOL_GPL for nft_expr_init()
netfilter: nf_tables: add elements with stateful expressions
netfilter: nf_tables: add nft_set_elem_update_expr() helper function
netfilter: nft_lookup: update element stateful expression
include/net/netfilter/nf_tables.h | 18 +++++++++++--
net/netfilter/nf_tables_api.c | 55 ++++++++++++++++++++++++++++++++++++---
net/netfilter/nft_dynset.c | 23 +++-------------
net/netfilter/nft_lookup.c | 1 +
4 files changed, 72 insertions(+), 25 deletions(-)
--
2.11.0
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 1/5] netfilter: nf_tables: add nft_set_elem_expr_alloc()
2020-03-11 14:30 [PATCH 0/5 nf-next,v2] enhance stateful expression support Pablo Neira Ayuso
@ 2020-03-11 14:30 ` Pablo Neira Ayuso
2020-03-11 14:30 ` [PATCH 2/5] netfilter: nf_tables: remove EXPORT_SYMBOL_GPL for nft_expr_init() Pablo Neira Ayuso
` (3 subsequent siblings)
4 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2020-03-11 14:30 UTC (permalink / raw)
To: netfilter-devel
Add helper function to create stateful expression.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/net/netfilter/nf_tables.h | 4 ++++
net/netfilter/nf_tables_api.c | 30 ++++++++++++++++++++++++++++++
net/netfilter/nft_dynset.c | 15 ++-------------
3 files changed, 36 insertions(+), 13 deletions(-)
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 4170c033d461..da2b8ff9f066 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -673,6 +673,10 @@ static inline struct nft_object **nft_set_ext_obj(const struct nft_set_ext *ext)
return nft_set_ext(ext, NFT_SET_EXT_OBJREF);
}
+struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx,
+ const struct nft_set *set,
+ const struct nlattr *attr);
+
void *nft_set_elem_init(const struct nft_set *set,
const struct nft_set_ext_tmpl *tmpl,
const u32 *key, const u32 *key_end, const u32 *data,
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 38c680f28f15..a9f4169c8610 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -4801,6 +4801,36 @@ static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
return trans;
}
+struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx,
+ const struct nft_set *set,
+ const struct nlattr *attr)
+{
+ struct nft_expr *expr;
+ int err;
+
+ expr = nft_expr_init(ctx, attr);
+ if (IS_ERR(expr))
+ return expr;
+
+ err = -EOPNOTSUPP;
+ if (!(expr->ops->type->flags & NFT_EXPR_STATEFUL))
+ goto err_set_elem_expr;
+
+ if (expr->ops->type->flags & NFT_EXPR_GC) {
+ if (set->flags & NFT_SET_TIMEOUT)
+ goto err_set_elem_expr;
+ if (!set->ops->gc_init)
+ goto err_set_elem_expr;
+ set->ops->gc_init(set);
+ }
+
+ return expr;
+
+err_set_elem_expr:
+ nft_expr_destroy(ctx, expr);
+ return ERR_PTR(err);
+}
+
void *nft_set_elem_init(const struct nft_set *set,
const struct nft_set_ext_tmpl *tmpl,
const u32 *key, const u32 *key_end,
diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c
index 683785225a3e..e106cf1c5b8b 100644
--- a/net/netfilter/nft_dynset.c
+++ b/net/netfilter/nft_dynset.c
@@ -206,21 +206,10 @@ static int nft_dynset_init(const struct nft_ctx *ctx,
if (!(set->flags & NFT_SET_EVAL))
return -EINVAL;
- priv->expr = nft_expr_init(ctx, tb[NFTA_DYNSET_EXPR]);
+ priv->expr = nft_set_elem_expr_alloc(ctx, set,
+ tb[NFTA_DYNSET_EXPR]);
if (IS_ERR(priv->expr))
return PTR_ERR(priv->expr);
-
- err = -EOPNOTSUPP;
- if (!(priv->expr->ops->type->flags & NFT_EXPR_STATEFUL))
- goto err1;
-
- if (priv->expr->ops->type->flags & NFT_EXPR_GC) {
- if (set->flags & NFT_SET_TIMEOUT)
- goto err1;
- if (!set->ops->gc_init)
- goto err1;
- set->ops->gc_init(set);
- }
}
nft_set_ext_prepare(&priv->tmpl);
--
2.11.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 2/5] netfilter: nf_tables: remove EXPORT_SYMBOL_GPL for nft_expr_init()
2020-03-11 14:30 [PATCH 0/5 nf-next,v2] enhance stateful expression support Pablo Neira Ayuso
2020-03-11 14:30 ` [PATCH 1/5] netfilter: nf_tables: add nft_set_elem_expr_alloc() Pablo Neira Ayuso
@ 2020-03-11 14:30 ` Pablo Neira Ayuso
2020-03-15 14:33 ` Pablo Neira Ayuso
2020-03-11 14:30 ` [PATCH 3/5] netfilter: nf_tables: add elements with stateful expressions Pablo Neira Ayuso
` (2 subsequent siblings)
4 siblings, 1 reply; 7+ messages in thread
From: Pablo Neira Ayuso @ 2020-03-11 14:30 UTC (permalink / raw)
To: netfilter-devel
Not exposed anymore to modules, remove it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/net/netfilter/nf_tables.h | 2 --
net/netfilter/nf_tables_api.c | 4 ++--
2 files changed, 2 insertions(+), 4 deletions(-)
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index da2b8ff9f066..13c257f7dd44 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -853,8 +853,6 @@ static inline void *nft_expr_priv(const struct nft_expr *expr)
return (void *)expr->data;
}
-struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
- const struct nlattr *nla);
void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr);
int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
const struct nft_expr *expr);
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index a9f4169c8610..0f670d13ae27 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -2523,8 +2523,8 @@ static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
module_put(type->owner);
}
-struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
- const struct nlattr *nla)
+static struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
+ const struct nlattr *nla)
{
struct nft_expr_info info;
struct nft_expr *expr;
--
2.11.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 3/5] netfilter: nf_tables: add elements with stateful expressions
2020-03-11 14:30 [PATCH 0/5 nf-next,v2] enhance stateful expression support Pablo Neira Ayuso
2020-03-11 14:30 ` [PATCH 1/5] netfilter: nf_tables: add nft_set_elem_expr_alloc() Pablo Neira Ayuso
2020-03-11 14:30 ` [PATCH 2/5] netfilter: nf_tables: remove EXPORT_SYMBOL_GPL for nft_expr_init() Pablo Neira Ayuso
@ 2020-03-11 14:30 ` Pablo Neira Ayuso
2020-03-11 14:30 ` [PATCH 4/5] netfilter: nf_tables: add nft_set_elem_update_expr() helper function Pablo Neira Ayuso
2020-03-11 14:30 ` [PATCH 5/5] netfilter: nft_lookup: update element stateful expression Pablo Neira Ayuso
4 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2020-03-11 14:30 UTC (permalink / raw)
To: netfilter-devel
Update nft_add_set_elem() to handle the NFTA_SET_ELEM_EXPR netlink
attribute. This patch allows users to to add elements with stateful
expressions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_tables_api.c | 21 ++++++++++++++++++++-
1 file changed, 20 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 0f670d13ae27..a90bf8d0b9ea 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -4913,6 +4913,7 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
struct nft_set_elem elem;
struct nft_set_binding *binding;
struct nft_object *obj = NULL;
+ struct nft_expr *expr = NULL;
struct nft_userdata *udata;
struct nft_data_desc desc;
struct nft_data data;
@@ -4980,10 +4981,17 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
return err;
}
+ if (nla[NFTA_SET_ELEM_EXPR] != NULL) {
+ expr = nft_set_elem_expr_alloc(ctx, set,
+ nla[NFTA_SET_ELEM_EXPR]);
+ if (IS_ERR(expr))
+ return PTR_ERR(expr);
+ }
+
err = nft_setelem_parse_key(ctx, set, &elem.key.val,
nla[NFTA_SET_ELEM_KEY]);
if (err < 0)
- return err;
+ goto err_set_elem_expr;
nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
@@ -5002,6 +5010,10 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
}
+ if (expr)
+ nft_set_ext_add_length(&tmpl, NFT_SET_EXT_EXPR,
+ expr->ops->size);
+
if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
if (!(set->flags & NFT_SET_OBJECT)) {
err = -EINVAL;
@@ -5086,6 +5098,10 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
*nft_set_ext_obj(ext) = obj;
obj->use++;
}
+ if (expr) {
+ memcpy(nft_set_ext_expr(ext), expr, expr->ops->size);
+ kfree(expr);
+ }
trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
if (trans == NULL)
@@ -5141,6 +5157,9 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
nft_data_release(&elem.key_end.val, NFT_DATA_VALUE);
err_parse_key:
nft_data_release(&elem.key.val, NFT_DATA_VALUE);
+err_set_elem_expr:
+ if (expr != NULL)
+ nft_expr_destroy(ctx, expr);
return err;
}
--
2.11.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 4/5] netfilter: nf_tables: add nft_set_elem_update_expr() helper function
2020-03-11 14:30 [PATCH 0/5 nf-next,v2] enhance stateful expression support Pablo Neira Ayuso
` (2 preceding siblings ...)
2020-03-11 14:30 ` [PATCH 3/5] netfilter: nf_tables: add elements with stateful expressions Pablo Neira Ayuso
@ 2020-03-11 14:30 ` Pablo Neira Ayuso
2020-03-11 14:30 ` [PATCH 5/5] netfilter: nft_lookup: update element stateful expression Pablo Neira Ayuso
4 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2020-03-11 14:30 UTC (permalink / raw)
To: netfilter-devel
This helper function runs the eval path of the stateful expression
of an existing set element.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/net/netfilter/nf_tables.h | 12 ++++++++++++
net/netfilter/nft_dynset.c | 8 +-------
2 files changed, 13 insertions(+), 7 deletions(-)
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 13c257f7dd44..f9f61905a485 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -897,6 +897,18 @@ static inline struct nft_userdata *nft_userdata(const struct nft_rule *rule)
return (void *)&rule->data[rule->dlen];
}
+static inline void nft_set_elem_update_expr(const struct nft_set_ext *ext,
+ struct nft_regs *regs,
+ const struct nft_pktinfo *pkt)
+{
+ struct nft_expr *expr;
+
+ if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR)) {
+ expr = nft_set_ext_expr(ext);
+ expr->ops->eval(expr, regs, pkt);
+ }
+}
+
/*
* The last pointer isn't really necessary, but the compiler isn't able to
* determine that the result of nft_expr_last() is always the same since it
diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c
index e106cf1c5b8b..46ab28ec4b53 100644
--- a/net/netfilter/nft_dynset.c
+++ b/net/netfilter/nft_dynset.c
@@ -81,7 +81,6 @@ void nft_dynset_eval(const struct nft_expr *expr,
const struct nft_dynset *priv = nft_expr_priv(expr);
struct nft_set *set = priv->set;
const struct nft_set_ext *ext;
- const struct nft_expr *sexpr;
u64 timeout;
if (priv->op == NFT_DYNSET_OP_DELETE) {
@@ -91,18 +90,13 @@ void nft_dynset_eval(const struct nft_expr *expr,
if (set->ops->update(set, ®s->data[priv->sreg_key], nft_dynset_new,
expr, regs, &ext)) {
- sexpr = NULL;
- if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
- sexpr = nft_set_ext_expr(ext);
-
if (priv->op == NFT_DYNSET_OP_UPDATE &&
nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
timeout = priv->timeout ? : set->timeout;
*nft_set_ext_expiration(ext) = get_jiffies_64() + timeout;
}
- if (sexpr != NULL)
- sexpr->ops->eval(sexpr, regs, pkt);
+ nft_set_elem_update_expr(ext, regs, pkt);
if (priv->invert)
regs->verdict.code = NFT_BREAK;
--
2.11.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 5/5] netfilter: nft_lookup: update element stateful expression
2020-03-11 14:30 [PATCH 0/5 nf-next,v2] enhance stateful expression support Pablo Neira Ayuso
` (3 preceding siblings ...)
2020-03-11 14:30 ` [PATCH 4/5] netfilter: nf_tables: add nft_set_elem_update_expr() helper function Pablo Neira Ayuso
@ 2020-03-11 14:30 ` Pablo Neira Ayuso
4 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2020-03-11 14:30 UTC (permalink / raw)
To: netfilter-devel
If the set element comes with an stateful expression, update it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nft_lookup.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/netfilter/nft_lookup.c b/net/netfilter/nft_lookup.c
index 660bad688e2b..1e70359d633c 100644
--- a/net/netfilter/nft_lookup.c
+++ b/net/netfilter/nft_lookup.c
@@ -43,6 +43,7 @@ void nft_lookup_eval(const struct nft_expr *expr,
nft_data_copy(®s->data[priv->dreg],
nft_set_ext_data(ext), set->dlen);
+ nft_set_elem_update_expr(ext, regs, pkt);
}
static const struct nla_policy nft_lookup_policy[NFTA_LOOKUP_MAX + 1] = {
--
2.11.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH 2/5] netfilter: nf_tables: remove EXPORT_SYMBOL_GPL for nft_expr_init()
2020-03-11 14:30 ` [PATCH 2/5] netfilter: nf_tables: remove EXPORT_SYMBOL_GPL for nft_expr_init() Pablo Neira Ayuso
@ 2020-03-15 14:33 ` Pablo Neira Ayuso
0 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2020-03-15 14:33 UTC (permalink / raw)
To: netfilter-devel
On Wed, Mar 11, 2020 at 03:30:13PM +0100, Pablo Neira Ayuso wrote:
> Not exposed anymore to modules, remove it.
This patch subject is not correct, there is no EXPORT_SYMBOL_GPL
removal.
Instead, this statifies the nft_expr_init() symbol.
I'm going to fix this here before applying.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2020-03-15 14:33 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-11 14:30 [PATCH 0/5 nf-next,v2] enhance stateful expression support Pablo Neira Ayuso
2020-03-11 14:30 ` [PATCH 1/5] netfilter: nf_tables: add nft_set_elem_expr_alloc() Pablo Neira Ayuso
2020-03-11 14:30 ` [PATCH 2/5] netfilter: nf_tables: remove EXPORT_SYMBOL_GPL for nft_expr_init() Pablo Neira Ayuso
2020-03-15 14:33 ` Pablo Neira Ayuso
2020-03-11 14:30 ` [PATCH 3/5] netfilter: nf_tables: add elements with stateful expressions Pablo Neira Ayuso
2020-03-11 14:30 ` [PATCH 4/5] netfilter: nf_tables: add nft_set_elem_update_expr() helper function Pablo Neira Ayuso
2020-03-11 14:30 ` [PATCH 5/5] netfilter: nft_lookup: update element stateful expression Pablo Neira Ayuso
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.