* [PATCH nf-next 0/4] enhance stateful expression support
@ 2020-03-11 14:13 Pablo Neira Ayuso
2020-03-11 14:13 ` [PATCH nf-next 1/4] netfilter: nf_tables: remove EXPORT_SYMBOL_GPL for nft_expr_init() Pablo Neira Ayuso
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2020-03-11 14:13 UTC (permalink / raw)
To: netfilter-devel
Hi,
This patchset allows users to add and to restore stateful expressions
of set elements, e.g.
table ip test {
set test {
type ipv4_addr
size 65535
flags dynamic,timeout
timeout 30d
gc-interval 1d
elements = { 192.168.10.13 expires 19d23h52m27s576ms counter packets 51 bytes 17265 }
}
chain output {
type filter hook output priority 0;
update @test { ip saddr }
}
}
You can also add counters to elements from the control place, ie.
table ip test {
set test {
type ipv4_addr
size 65535
elements = { 192.168.2.1 counter packets 75 bytes 19043 }
}
chain output {
type filter hook output priority filter; policy accept;
ip daddr @test
}
}
Thanks.
Pablo Neira Ayuso (4):
netfilter: nf_tables: remove EXPORT_SYMBOL_GPL for nft_expr_init()
netfilter: nf_tables: add elements with stateful expressions
netfilter: nf_tables: add nft_set_elem_update_expr() helper function
netfilter: nft_lookup: update element stateful expression
include/net/netfilter/nf_tables.h | 14 ++++++++++++--
net/netfilter/nf_tables_api.c | 25 ++++++++++++++++++++++---
net/netfilter/nft_dynset.c | 8 +-------
net/netfilter/nft_lookup.c | 1 +
4 files changed, 36 insertions(+), 12 deletions(-)
--
2.11.0
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH nf-next 1/4] netfilter: nf_tables: remove EXPORT_SYMBOL_GPL for nft_expr_init()
2020-03-11 14:13 [PATCH nf-next 0/4] enhance stateful expression support Pablo Neira Ayuso
@ 2020-03-11 14:13 ` Pablo Neira Ayuso
2020-03-11 14:13 ` [PATCH nf-next 2/4] netfilter: nf_tables: add elements with stateful expressions Pablo Neira Ayuso
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2020-03-11 14:13 UTC (permalink / raw)
To: netfilter-devel
Not exposed anymore to modules, remove it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/net/netfilter/nf_tables.h | 2 --
net/netfilter/nf_tables_api.c | 4 ++--
2 files changed, 2 insertions(+), 4 deletions(-)
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index da2b8ff9f066..13c257f7dd44 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -853,8 +853,6 @@ static inline void *nft_expr_priv(const struct nft_expr *expr)
return (void *)expr->data;
}
-struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
- const struct nlattr *nla);
void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr);
int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
const struct nft_expr *expr);
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index a9f4169c8610..0f670d13ae27 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -2523,8 +2523,8 @@ static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
module_put(type->owner);
}
-struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
- const struct nlattr *nla)
+static struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
+ const struct nlattr *nla)
{
struct nft_expr_info info;
struct nft_expr *expr;
--
2.11.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH nf-next 2/4] netfilter: nf_tables: add elements with stateful expressions
2020-03-11 14:13 [PATCH nf-next 0/4] enhance stateful expression support Pablo Neira Ayuso
2020-03-11 14:13 ` [PATCH nf-next 1/4] netfilter: nf_tables: remove EXPORT_SYMBOL_GPL for nft_expr_init() Pablo Neira Ayuso
@ 2020-03-11 14:13 ` Pablo Neira Ayuso
2020-03-11 14:13 ` [PATCH nf-next 3/4] netfilter: nf_tables: add nft_set_elem_update_expr() helper function Pablo Neira Ayuso
2020-03-11 14:13 ` [PATCH nf-next 4/4] netfilter: nft_lookup: update element stateful expression Pablo Neira Ayuso
3 siblings, 0 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2020-03-11 14:13 UTC (permalink / raw)
To: netfilter-devel
Update nft_add_set_elem() to handle the NFTA_SET_ELEM_EXPR netlink
attribute. This patch allows users to to add elements with stateful
expressions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_tables_api.c | 21 ++++++++++++++++++++-
1 file changed, 20 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 0f670d13ae27..a90bf8d0b9ea 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -4913,6 +4913,7 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
struct nft_set_elem elem;
struct nft_set_binding *binding;
struct nft_object *obj = NULL;
+ struct nft_expr *expr = NULL;
struct nft_userdata *udata;
struct nft_data_desc desc;
struct nft_data data;
@@ -4980,10 +4981,17 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
return err;
}
+ if (nla[NFTA_SET_ELEM_EXPR] != NULL) {
+ expr = nft_set_elem_expr_alloc(ctx, set,
+ nla[NFTA_SET_ELEM_EXPR]);
+ if (IS_ERR(expr))
+ return PTR_ERR(expr);
+ }
+
err = nft_setelem_parse_key(ctx, set, &elem.key.val,
nla[NFTA_SET_ELEM_KEY]);
if (err < 0)
- return err;
+ goto err_set_elem_expr;
nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
@@ -5002,6 +5010,10 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
}
+ if (expr)
+ nft_set_ext_add_length(&tmpl, NFT_SET_EXT_EXPR,
+ expr->ops->size);
+
if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
if (!(set->flags & NFT_SET_OBJECT)) {
err = -EINVAL;
@@ -5086,6 +5098,10 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
*nft_set_ext_obj(ext) = obj;
obj->use++;
}
+ if (expr) {
+ memcpy(nft_set_ext_expr(ext), expr, expr->ops->size);
+ kfree(expr);
+ }
trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
if (trans == NULL)
@@ -5141,6 +5157,9 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
nft_data_release(&elem.key_end.val, NFT_DATA_VALUE);
err_parse_key:
nft_data_release(&elem.key.val, NFT_DATA_VALUE);
+err_set_elem_expr:
+ if (expr != NULL)
+ nft_expr_destroy(ctx, expr);
return err;
}
--
2.11.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH nf-next 3/4] netfilter: nf_tables: add nft_set_elem_update_expr() helper function
2020-03-11 14:13 [PATCH nf-next 0/4] enhance stateful expression support Pablo Neira Ayuso
2020-03-11 14:13 ` [PATCH nf-next 1/4] netfilter: nf_tables: remove EXPORT_SYMBOL_GPL for nft_expr_init() Pablo Neira Ayuso
2020-03-11 14:13 ` [PATCH nf-next 2/4] netfilter: nf_tables: add elements with stateful expressions Pablo Neira Ayuso
@ 2020-03-11 14:13 ` Pablo Neira Ayuso
2020-03-11 14:13 ` [PATCH nf-next 4/4] netfilter: nft_lookup: update element stateful expression Pablo Neira Ayuso
3 siblings, 0 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2020-03-11 14:13 UTC (permalink / raw)
To: netfilter-devel
This helper function runs the eval path of the stateful expression
of an existing set element.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/net/netfilter/nf_tables.h | 12 ++++++++++++
net/netfilter/nft_dynset.c | 8 +-------
2 files changed, 13 insertions(+), 7 deletions(-)
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 13c257f7dd44..f9f61905a485 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -897,6 +897,18 @@ static inline struct nft_userdata *nft_userdata(const struct nft_rule *rule)
return (void *)&rule->data[rule->dlen];
}
+static inline void nft_set_elem_update_expr(const struct nft_set_ext *ext,
+ struct nft_regs *regs,
+ const struct nft_pktinfo *pkt)
+{
+ struct nft_expr *expr;
+
+ if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR)) {
+ expr = nft_set_ext_expr(ext);
+ expr->ops->eval(expr, regs, pkt);
+ }
+}
+
/*
* The last pointer isn't really necessary, but the compiler isn't able to
* determine that the result of nft_expr_last() is always the same since it
diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c
index e106cf1c5b8b..46ab28ec4b53 100644
--- a/net/netfilter/nft_dynset.c
+++ b/net/netfilter/nft_dynset.c
@@ -81,7 +81,6 @@ void nft_dynset_eval(const struct nft_expr *expr,
const struct nft_dynset *priv = nft_expr_priv(expr);
struct nft_set *set = priv->set;
const struct nft_set_ext *ext;
- const struct nft_expr *sexpr;
u64 timeout;
if (priv->op == NFT_DYNSET_OP_DELETE) {
@@ -91,18 +90,13 @@ void nft_dynset_eval(const struct nft_expr *expr,
if (set->ops->update(set, ®s->data[priv->sreg_key], nft_dynset_new,
expr, regs, &ext)) {
- sexpr = NULL;
- if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
- sexpr = nft_set_ext_expr(ext);
-
if (priv->op == NFT_DYNSET_OP_UPDATE &&
nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
timeout = priv->timeout ? : set->timeout;
*nft_set_ext_expiration(ext) = get_jiffies_64() + timeout;
}
- if (sexpr != NULL)
- sexpr->ops->eval(sexpr, regs, pkt);
+ nft_set_elem_update_expr(ext, regs, pkt);
if (priv->invert)
regs->verdict.code = NFT_BREAK;
--
2.11.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH nf-next 4/4] netfilter: nft_lookup: update element stateful expression
2020-03-11 14:13 [PATCH nf-next 0/4] enhance stateful expression support Pablo Neira Ayuso
` (2 preceding siblings ...)
2020-03-11 14:13 ` [PATCH nf-next 3/4] netfilter: nf_tables: add nft_set_elem_update_expr() helper function Pablo Neira Ayuso
@ 2020-03-11 14:13 ` Pablo Neira Ayuso
3 siblings, 0 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2020-03-11 14:13 UTC (permalink / raw)
To: netfilter-devel
If the set element comes with an stateful expression, update it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nft_lookup.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/netfilter/nft_lookup.c b/net/netfilter/nft_lookup.c
index 660bad688e2b..1e70359d633c 100644
--- a/net/netfilter/nft_lookup.c
+++ b/net/netfilter/nft_lookup.c
@@ -43,6 +43,7 @@ void nft_lookup_eval(const struct nft_expr *expr,
nft_data_copy(®s->data[priv->dreg],
nft_set_ext_data(ext), set->dlen);
+ nft_set_elem_update_expr(ext, regs, pkt);
}
static const struct nla_policy nft_lookup_policy[NFTA_LOOKUP_MAX + 1] = {
--
2.11.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-03-11 14:13 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-11 14:13 [PATCH nf-next 0/4] enhance stateful expression support Pablo Neira Ayuso
2020-03-11 14:13 ` [PATCH nf-next 1/4] netfilter: nf_tables: remove EXPORT_SYMBOL_GPL for nft_expr_init() Pablo Neira Ayuso
2020-03-11 14:13 ` [PATCH nf-next 2/4] netfilter: nf_tables: add elements with stateful expressions Pablo Neira Ayuso
2020-03-11 14:13 ` [PATCH nf-next 3/4] netfilter: nf_tables: add nft_set_elem_update_expr() helper function Pablo Neira Ayuso
2020-03-11 14:13 ` [PATCH nf-next 4/4] netfilter: nft_lookup: update element stateful expression Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).