* [PATCH nft] src: set on flags to request multi-statement support
@ 2021-01-04 20:45 Pablo Neira Ayuso
0 siblings, 0 replies; only message in thread
From: Pablo Neira Ayuso @ 2021-01-04 20:45 UTC (permalink / raw)
To: netfilter-devel
Old kernel reject requests for element with multiple statements because
userspace sets on the flags for multi-statements.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/linux/netfilter/nf_tables.h | 3 +++
src/evaluate.c | 8 ++++++++
src/netlink_linearize.c | 2 ++
3 files changed, 13 insertions(+)
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 0b5fd5d52bb6..4ecf457f7317 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -279,6 +279,7 @@ enum nft_rule_compat_attributes {
* @NFT_SET_EVAL: set can be updated from the evaluation path
* @NFT_SET_OBJECT: set contains stateful objects
* @NFT_SET_CONCAT: set contains a concatenation
+ * @NFT_SET_EXPR: set contains expressions
*/
enum nft_set_flags {
NFT_SET_ANONYMOUS = 0x1,
@@ -289,6 +290,7 @@ enum nft_set_flags {
NFT_SET_EVAL = 0x20,
NFT_SET_OBJECT = 0x40,
NFT_SET_CONCAT = 0x80,
+ NFT_SET_EXPR = 0x100,
};
/**
@@ -686,6 +688,7 @@ enum nft_dynset_ops {
enum nft_dynset_flags {
NFT_DYNSET_F_INV = (1 << 0),
+ NFT_DYNSET_F_EXPR = (1 << 1),
};
/**
diff --git a/src/evaluate.c b/src/evaluate.c
index ab9357fa2ede..38dbc33d7826 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -3671,7 +3671,9 @@ static int set_key_data_error(struct eval_ctx *ctx, const struct set *set,
static int set_evaluate(struct eval_ctx *ctx, struct set *set)
{
+ unsigned int num_stmts = 0;
struct table *table;
+ struct stmt *stmt;
const char *type;
table = table_lookup_global(ctx);
@@ -3732,6 +3734,12 @@ static int set_evaluate(struct eval_ctx *ctx, struct set *set)
if (set->timeout)
set->flags |= NFT_SET_TIMEOUT;
+ list_for_each_entry(stmt, &set->stmt_list, list)
+ num_stmts++;
+
+ if (num_stmts > 1)
+ set->flags |= NFT_SET_EXPR;
+
if (set_is_anonymous(set->flags))
return 0;
diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c
index 09d0c61cfcc0..f1b3ff6940ea 100644
--- a/src/netlink_linearize.c
+++ b/src/netlink_linearize.c
@@ -1429,6 +1429,8 @@ static void netlink_gen_set_stmt(struct netlink_linearize_ctx *ctx,
nftnl_expr_add_expr(nle, NFTNL_EXPR_DYNSET_EXPRESSIONS,
netlink_gen_stmt_stateful(this));
}
+ nftnl_expr_set_u32(nle, NFTNL_EXPR_DYNSET_FLAGS,
+ NFT_DYNSET_F_EXPR);
}
}
--
2.20.1
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2021-01-04 20:46 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-04 20:45 [PATCH nft] src: set on flags to request multi-statement support Pablo Neira Ayuso
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.