* [PATCH net 0/3] Netfilter fixes for net
@ 2021-01-27 13:25 Pablo Neira Ayuso
2021-01-27 13:25 ` [PATCH net 1/3] netfilter: nft_dynset: honor stateful expressions in set definition Pablo Neira Ayuso
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2021-01-27 13:25 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
Hi,
The following patchset contains Netfilter fixes for net:
1) Honor stateful expressions defined in the set from the dynset
extension. The set definition provides a stateful expression
that must be used by the dynset expression in case it is specified.
2) Missing timeout extension in the set element in the dynset
extension leads to inconsistent ruleset listing, not allowing
the user to restore timeout and expiration on ruleset reload.
3) Do not dump the stateful expression from the dynset extension
if it coming from the set definition.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks!
----------------------------------------------------------------
The following changes since commit c8a8ead01736419a14c3106e1f26a79d74fc84c7:
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf (2021-01-12 20:25:29 -0800)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to ce5379963b2884e9d23bea0c5674a7251414c84b:
netfilter: nft_dynset: dump expressions when set definition contains no expressions (2021-01-16 19:54:42 +0100)
----------------------------------------------------------------
Pablo Neira Ayuso (3):
netfilter: nft_dynset: honor stateful expressions in set definition
netfilter: nft_dynset: add timeout extension to template
netfilter: nft_dynset: dump expressions when set definition contains no expressions
include/net/netfilter/nf_tables.h | 2 ++
net/netfilter/nf_tables_api.c | 5 ++---
net/netfilter/nft_dynset.c | 41 +++++++++++++++++++++++++--------------
3 files changed, 30 insertions(+), 18 deletions(-)
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH net 1/3] netfilter: nft_dynset: honor stateful expressions in set definition
2021-01-27 13:25 [PATCH net 0/3] Netfilter fixes for net Pablo Neira Ayuso
@ 2021-01-27 13:25 ` Pablo Neira Ayuso
2021-01-28 2:00 ` patchwork-bot+netdevbpf
2021-01-27 13:25 ` [PATCH net 2/3] netfilter: nft_dynset: add timeout extension to template Pablo Neira Ayuso
2021-01-27 13:25 ` [PATCH net 3/3] netfilter: nft_dynset: dump expressions when set definition contains no expressions Pablo Neira Ayuso
2 siblings, 1 reply; 5+ messages in thread
From: Pablo Neira Ayuso @ 2021-01-27 13:25 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
If the set definition contains stateful expressions, allocate them for
the newly added entries from the packet path.
Fixes: 65038428b2c6 ("netfilter: nf_tables: allow to specify stateful expression in set definition")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/net/netfilter/nf_tables.h | 2 ++
net/netfilter/nf_tables_api.c | 5 ++---
net/netfilter/nft_dynset.c | 6 ++++++
3 files changed, 10 insertions(+), 3 deletions(-)
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index f4af8362d234..4b6ecf532623 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -721,6 +721,8 @@ void *nft_set_elem_init(const struct nft_set *set,
const struct nft_set_ext_tmpl *tmpl,
const u32 *key, const u32 *key_end, const u32 *data,
u64 timeout, u64 expiration, gfp_t gfp);
+int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set,
+ struct nft_expr *expr_array[]);
void nft_set_elem_destroy(const struct nft_set *set, void *elem,
bool destroy_expr);
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 15c467f1a9dd..8d3aa97b52e7 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -5235,9 +5235,8 @@ static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
kfree(elem);
}
-static int nft_set_elem_expr_clone(const struct nft_ctx *ctx,
- struct nft_set *set,
- struct nft_expr *expr_array[])
+int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set,
+ struct nft_expr *expr_array[])
{
struct nft_expr *expr;
int err, i, k;
diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c
index 0b053f75cd60..86204740f6c7 100644
--- a/net/netfilter/nft_dynset.c
+++ b/net/netfilter/nft_dynset.c
@@ -295,6 +295,12 @@ static int nft_dynset_init(const struct nft_ctx *ctx,
err = -EOPNOTSUPP;
goto err_expr_free;
}
+ } else if (set->num_exprs > 0) {
+ err = nft_set_elem_expr_clone(ctx, set, priv->expr_array);
+ if (err < 0)
+ return err;
+
+ priv->num_exprs = set->num_exprs;
}
nft_set_ext_prepare(&priv->tmpl);
--
2.20.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH net 2/3] netfilter: nft_dynset: add timeout extension to template
2021-01-27 13:25 [PATCH net 0/3] Netfilter fixes for net Pablo Neira Ayuso
2021-01-27 13:25 ` [PATCH net 1/3] netfilter: nft_dynset: honor stateful expressions in set definition Pablo Neira Ayuso
@ 2021-01-27 13:25 ` Pablo Neira Ayuso
2021-01-27 13:25 ` [PATCH net 3/3] netfilter: nft_dynset: dump expressions when set definition contains no expressions Pablo Neira Ayuso
2 siblings, 0 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2021-01-27 13:25 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
Otherwise, the newly create element shows no timeout when listing the
ruleset. If the set definition does not specify a default timeout, then
the set element only shows the expiration time, but not the timeout.
This is a problem when restoring a stateful ruleset listing since it
skips the timeout policy entirely.
Fixes: 22fe54d5fefc ("netfilter: nf_tables: add support for dynamic set updates")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nft_dynset.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c
index 86204740f6c7..218c09e4fddd 100644
--- a/net/netfilter/nft_dynset.c
+++ b/net/netfilter/nft_dynset.c
@@ -312,8 +312,10 @@ static int nft_dynset_init(const struct nft_ctx *ctx,
nft_dynset_ext_add_expr(priv);
if (set->flags & NFT_SET_TIMEOUT) {
- if (timeout || set->timeout)
+ if (timeout || set->timeout) {
+ nft_set_ext_add(&priv->tmpl, NFT_SET_EXT_TIMEOUT);
nft_set_ext_add(&priv->tmpl, NFT_SET_EXT_EXPIRATION);
+ }
}
priv->timeout = timeout;
--
2.20.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH net 3/3] netfilter: nft_dynset: dump expressions when set definition contains no expressions
2021-01-27 13:25 [PATCH net 0/3] Netfilter fixes for net Pablo Neira Ayuso
2021-01-27 13:25 ` [PATCH net 1/3] netfilter: nft_dynset: honor stateful expressions in set definition Pablo Neira Ayuso
2021-01-27 13:25 ` [PATCH net 2/3] netfilter: nft_dynset: add timeout extension to template Pablo Neira Ayuso
@ 2021-01-27 13:25 ` Pablo Neira Ayuso
2 siblings, 0 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2021-01-27 13:25 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
If the set definition provides no stateful expressions, then include the
stateful expression in the ruleset listing. Without this fix, the dynset
rule listing shows the stateful expressions provided by the set
definition.
Fixes: 65038428b2c6 ("netfilter: nf_tables: allow to specify stateful expression in set definition")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nft_dynset.c | 31 +++++++++++++++++--------------
1 file changed, 17 insertions(+), 14 deletions(-)
diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c
index 218c09e4fddd..d164ef9e6843 100644
--- a/net/netfilter/nft_dynset.c
+++ b/net/netfilter/nft_dynset.c
@@ -384,22 +384,25 @@ static int nft_dynset_dump(struct sk_buff *skb, const struct nft_expr *expr)
nf_jiffies64_to_msecs(priv->timeout),
NFTA_DYNSET_PAD))
goto nla_put_failure;
- if (priv->num_exprs == 1) {
- if (nft_expr_dump(skb, NFTA_DYNSET_EXPR, priv->expr_array[0]))
- goto nla_put_failure;
- } else if (priv->num_exprs > 1) {
- struct nlattr *nest;
-
- nest = nla_nest_start_noflag(skb, NFTA_DYNSET_EXPRESSIONS);
- if (!nest)
- goto nla_put_failure;
-
- for (i = 0; i < priv->num_exprs; i++) {
- if (nft_expr_dump(skb, NFTA_LIST_ELEM,
- priv->expr_array[i]))
+ if (priv->set->num_exprs == 0) {
+ if (priv->num_exprs == 1) {
+ if (nft_expr_dump(skb, NFTA_DYNSET_EXPR,
+ priv->expr_array[0]))
goto nla_put_failure;
+ } else if (priv->num_exprs > 1) {
+ struct nlattr *nest;
+
+ nest = nla_nest_start_noflag(skb, NFTA_DYNSET_EXPRESSIONS);
+ if (!nest)
+ goto nla_put_failure;
+
+ for (i = 0; i < priv->num_exprs; i++) {
+ if (nft_expr_dump(skb, NFTA_LIST_ELEM,
+ priv->expr_array[i]))
+ goto nla_put_failure;
+ }
+ nla_nest_end(skb, nest);
}
- nla_nest_end(skb, nest);
}
if (nla_put_be32(skb, NFTA_DYNSET_FLAGS, htonl(flags)))
goto nla_put_failure;
--
2.20.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH net 1/3] netfilter: nft_dynset: honor stateful expressions in set definition
2021-01-27 13:25 ` [PATCH net 1/3] netfilter: nft_dynset: honor stateful expressions in set definition Pablo Neira Ayuso
@ 2021-01-28 2:00 ` patchwork-bot+netdevbpf
0 siblings, 0 replies; 5+ messages in thread
From: patchwork-bot+netdevbpf @ 2021-01-28 2:00 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel, davem, netdev, kuba
Hello:
This series was applied to netdev/net.git (refs/heads/master):
On Wed, 27 Jan 2021 14:25:10 +0100 you wrote:
> If the set definition contains stateful expressions, allocate them for
> the newly added entries from the packet path.
>
> Fixes: 65038428b2c6 ("netfilter: nf_tables: allow to specify stateful expression in set definition")
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> ---
> include/net/netfilter/nf_tables.h | 2 ++
> net/netfilter/nf_tables_api.c | 5 ++---
> net/netfilter/nft_dynset.c | 6 ++++++
> 3 files changed, 10 insertions(+), 3 deletions(-)
Here is the summary with links:
- [net,1/3] netfilter: nft_dynset: honor stateful expressions in set definition
https://git.kernel.org/netdev/net/c/fca05d4d61e6
- [net,2/3] netfilter: nft_dynset: add timeout extension to template
https://git.kernel.org/netdev/net/c/0c5b7a501e74
- [net,3/3] netfilter: nft_dynset: dump expressions when set definition contains no expressions
https://git.kernel.org/netdev/net/c/ce5379963b28
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-01-28 2:01 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-27 13:25 [PATCH net 0/3] Netfilter fixes for net Pablo Neira Ayuso
2021-01-27 13:25 ` [PATCH net 1/3] netfilter: nft_dynset: honor stateful expressions in set definition Pablo Neira Ayuso
2021-01-28 2:00 ` patchwork-bot+netdevbpf
2021-01-27 13:25 ` [PATCH net 2/3] netfilter: nft_dynset: add timeout extension to template Pablo Neira Ayuso
2021-01-27 13:25 ` [PATCH net 3/3] netfilter: nft_dynset: dump expressions when set definition contains no expressions Pablo Neira Ayuso
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.