* [PATCH 0/5 nf-next,v2] enhance stateful expression support
@ 2020-03-11 14:30 Pablo Neira Ayuso
2020-03-11 14:30 ` [PATCH 1/5] netfilter: nf_tables: add nft_set_elem_expr_alloc() Pablo Neira Ayuso
` (4 more replies)
0 siblings, 5 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2020-03-11 14:30 UTC (permalink / raw)
To: netfilter-devel
This patchset allows users to add and to restore stateful expressions
of set elements, e.g.
table ip test {
set test {
type ipv4_addr
size 65535
flags dynamic,timeout
timeout 30d
gc-interval 1d
elements = { 192.168.10.13 expires 19d23h52m27s576ms counter packets 51 bytes 17265 }
}
chain output {
type filter hook output priority 0;
update @test { ip saddr }
}
}
You can also add counters to elements from the control place, ie.
table ip test {
set test {
type ipv4_addr
size 65535
elements = { 192.168.2.1 counter packets 75 bytes 19043 }
}
chain output {
type filter hook output priority filter; policy accept;
ip daddr @test
}
}
v2: Missing patch to add nft_set_elem_expr_alloc() helper function.
Pablo Neira Ayuso (5):
netfilter: nf_tables: add nft_set_elem_expr_alloc()
netfilter: nf_tables: remove EXPORT_SYMBOL_GPL for nft_expr_init()
netfilter: nf_tables: add elements with stateful expressions
netfilter: nf_tables: add nft_set_elem_update_expr() helper function
netfilter: nft_lookup: update element stateful expression
include/net/netfilter/nf_tables.h | 18 +++++++++++--
net/netfilter/nf_tables_api.c | 55 ++++++++++++++++++++++++++++++++++++---
net/netfilter/nft_dynset.c | 23 +++-------------
net/netfilter/nft_lookup.c | 1 +
4 files changed, 72 insertions(+), 25 deletions(-)
--
2.11.0
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 1/5] netfilter: nf_tables: add nft_set_elem_expr_alloc()
2020-03-11 14:30 [PATCH 0/5 nf-next,v2] enhance stateful expression support Pablo Neira Ayuso
@ 2020-03-11 14:30 ` Pablo Neira Ayuso
2020-03-11 14:30 ` [PATCH 2/5] netfilter: nf_tables: remove EXPORT_SYMBOL_GPL for nft_expr_init() Pablo Neira Ayuso
` (3 subsequent siblings)
4 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2020-03-11 14:30 UTC (permalink / raw)
To: netfilter-devel
Add helper function to create stateful expression.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/net/netfilter/nf_tables.h | 4 ++++
net/netfilter/nf_tables_api.c | 30 ++++++++++++++++++++++++++++++
net/netfilter/nft_dynset.c | 15 ++-------------
3 files changed, 36 insertions(+), 13 deletions(-)
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 4170c033d461..da2b8ff9f066 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -673,6 +673,10 @@ static inline struct nft_object **nft_set_ext_obj(const struct nft_set_ext *ext)
return nft_set_ext(ext, NFT_SET_EXT_OBJREF);
}
+struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx,
+ const struct nft_set *set,
+ const struct nlattr *attr);
+
void *nft_set_elem_init(const struct nft_set *set,
const struct nft_set_ext_tmpl *tmpl,
const u32 *key, const u32 *key_end, const u32 *data,
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 38c680f28f15..a9f4169c8610 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -4801,6 +4801,36 @@ static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
return trans;
}
+struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx,
+ const struct nft_set *set,
+ const struct nlattr *attr)
+{
+ struct nft_expr *expr;
+ int err;
+
+ expr = nft_expr_init(ctx, attr);
+ if (IS_ERR(expr))
+ return expr;
+
+ err = -EOPNOTSUPP;
+ if (!(expr->ops->type->flags & NFT_EXPR_STATEFUL))
+ goto err_set_elem_expr;
+
+ if (expr->ops->type->flags & NFT_EXPR_GC) {
+ if (set->flags & NFT_SET_TIMEOUT)
+ goto err_set_elem_expr;
+ if (!set->ops->gc_init)
+ goto err_set_elem_expr;
+ set->ops->gc_init(set);
+ }
+
+ return expr;
+
+err_set_elem_expr:
+ nft_expr_destroy(ctx, expr);
+ return ERR_PTR(err);
+}
+
void *nft_set_elem_init(const struct nft_set *set,
const struct nft_set_ext_tmpl *tmpl,
const u32 *key, const u32 *key_end,
diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c
index 683785225a3e..e106cf1c5b8b 100644
--- a/net/netfilter/nft_dynset.c
+++ b/net/netfilter/nft_dynset.c
@@ -206,21 +206,10 @@ static int nft_dynset_init(const struct nft_ctx *ctx,
if (!(set->flags & NFT_SET_EVAL))
return -EINVAL;
- priv->expr = nft_expr_init(ctx, tb[NFTA_DYNSET_EXPR]);
+ priv->expr = nft_set_elem_expr_alloc(ctx, set,
+ tb[NFTA_DYNSET_EXPR]);
if (IS_ERR(priv->expr))
return PTR_ERR(priv->expr);
-
- err = -EOPNOTSUPP;
- if (!(priv->expr->ops->type->flags & NFT_EXPR_STATEFUL))
- goto err1;
-
- if (priv->expr->ops->type->flags & NFT_EXPR_GC) {
- if (set->flags & NFT_SET_TIMEOUT)
- goto err1;
- if (!set->ops->gc_init)
- goto err1;
- set->ops->gc_init(set);
- }
}
nft_set_ext_prepare(&priv->tmpl);
--
2.11.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 2/5] netfilter: nf_tables: remove EXPORT_SYMBOL_GPL for nft_expr_init()
2020-03-11 14:30 [PATCH 0/5 nf-next,v2] enhance stateful expression support Pablo Neira Ayuso
2020-03-11 14:30 ` [PATCH 1/5] netfilter: nf_tables: add nft_set_elem_expr_alloc() Pablo Neira Ayuso
@ 2020-03-11 14:30 ` Pablo Neira Ayuso
2020-03-15 14:33 ` Pablo Neira Ayuso
2020-03-11 14:30 ` [PATCH 3/5] netfilter: nf_tables: add elements with stateful expressions Pablo Neira Ayuso
` (2 subsequent siblings)
4 siblings, 1 reply; 7+ messages in thread
From: Pablo Neira Ayuso @ 2020-03-11 14:30 UTC (permalink / raw)
To: netfilter-devel
Not exposed anymore to modules, remove it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/net/netfilter/nf_tables.h | 2 --
net/netfilter/nf_tables_api.c | 4 ++--
2 files changed, 2 insertions(+), 4 deletions(-)
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index da2b8ff9f066..13c257f7dd44 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -853,8 +853,6 @@ static inline void *nft_expr_priv(const struct nft_expr *expr)
return (void *)expr->data;
}
-struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
- const struct nlattr *nla);
void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr);
int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
const struct nft_expr *expr);
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index a9f4169c8610..0f670d13ae27 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -2523,8 +2523,8 @@ static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
module_put(type->owner);
}
-struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
- const struct nlattr *nla)
+static struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
+ const struct nlattr *nla)
{
struct nft_expr_info info;
struct nft_expr *expr;
--
2.11.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 3/5] netfilter: nf_tables: add elements with stateful expressions
2020-03-11 14:30 [PATCH 0/5 nf-next,v2] enhance stateful expression support Pablo Neira Ayuso
2020-03-11 14:30 ` [PATCH 1/5] netfilter: nf_tables: add nft_set_elem_expr_alloc() Pablo Neira Ayuso
2020-03-11 14:30 ` [PATCH 2/5] netfilter: nf_tables: remove EXPORT_SYMBOL_GPL for nft_expr_init() Pablo Neira Ayuso
@ 2020-03-11 14:30 ` Pablo Neira Ayuso
2020-03-11 14:30 ` [PATCH 4/5] netfilter: nf_tables: add nft_set_elem_update_expr() helper function Pablo Neira Ayuso
2020-03-11 14:30 ` [PATCH 5/5] netfilter: nft_lookup: update element stateful expression Pablo Neira Ayuso
4 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2020-03-11 14:30 UTC (permalink / raw)
To: netfilter-devel
Update nft_add_set_elem() to handle the NFTA_SET_ELEM_EXPR netlink
attribute. This patch allows users to to add elements with stateful
expressions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_tables_api.c | 21 ++++++++++++++++++++-
1 file changed, 20 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 0f670d13ae27..a90bf8d0b9ea 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -4913,6 +4913,7 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
struct nft_set_elem elem;
struct nft_set_binding *binding;
struct nft_object *obj = NULL;
+ struct nft_expr *expr = NULL;
struct nft_userdata *udata;
struct nft_data_desc desc;
struct nft_data data;
@@ -4980,10 +4981,17 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
return err;
}
+ if (nla[NFTA_SET_ELEM_EXPR] != NULL) {
+ expr = nft_set_elem_expr_alloc(ctx, set,
+ nla[NFTA_SET_ELEM_EXPR]);
+ if (IS_ERR(expr))
+ return PTR_ERR(expr);
+ }
+
err = nft_setelem_parse_key(ctx, set, &elem.key.val,
nla[NFTA_SET_ELEM_KEY]);
if (err < 0)
- return err;
+ goto err_set_elem_expr;
nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
@@ -5002,6 +5010,10 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
}
+ if (expr)
+ nft_set_ext_add_length(&tmpl, NFT_SET_EXT_EXPR,
+ expr->ops->size);
+
if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
if (!(set->flags & NFT_SET_OBJECT)) {
err = -EINVAL;
@@ -5086,6 +5098,10 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
*nft_set_ext_obj(ext) = obj;
obj->use++;
}
+ if (expr) {
+ memcpy(nft_set_ext_expr(ext), expr, expr->ops->size);
+ kfree(expr);
+ }
trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
if (trans == NULL)
@@ -5141,6 +5157,9 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
nft_data_release(&elem.key_end.val, NFT_DATA_VALUE);
err_parse_key:
nft_data_release(&elem.key.val, NFT_DATA_VALUE);
+err_set_elem_expr:
+ if (expr != NULL)
+ nft_expr_destroy(ctx, expr);
return err;
}
--
2.11.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 4/5] netfilter: nf_tables: add nft_set_elem_update_expr() helper function
2020-03-11 14:30 [PATCH 0/5 nf-next,v2] enhance stateful expression support Pablo Neira Ayuso
` (2 preceding siblings ...)
2020-03-11 14:30 ` [PATCH 3/5] netfilter: nf_tables: add elements with stateful expressions Pablo Neira Ayuso
@ 2020-03-11 14:30 ` Pablo Neira Ayuso
2020-03-11 14:30 ` [PATCH 5/5] netfilter: nft_lookup: update element stateful expression Pablo Neira Ayuso
4 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2020-03-11 14:30 UTC (permalink / raw)
To: netfilter-devel
This helper function runs the eval path of the stateful expression
of an existing set element.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/net/netfilter/nf_tables.h | 12 ++++++++++++
net/netfilter/nft_dynset.c | 8 +-------
2 files changed, 13 insertions(+), 7 deletions(-)
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 13c257f7dd44..f9f61905a485 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -897,6 +897,18 @@ static inline struct nft_userdata *nft_userdata(const struct nft_rule *rule)
return (void *)&rule->data[rule->dlen];
}
+static inline void nft_set_elem_update_expr(const struct nft_set_ext *ext,
+ struct nft_regs *regs,
+ const struct nft_pktinfo *pkt)
+{
+ struct nft_expr *expr;
+
+ if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR)) {
+ expr = nft_set_ext_expr(ext);
+ expr->ops->eval(expr, regs, pkt);
+ }
+}
+
/*
* The last pointer isn't really necessary, but the compiler isn't able to
* determine that the result of nft_expr_last() is always the same since it
diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c
index e106cf1c5b8b..46ab28ec4b53 100644
--- a/net/netfilter/nft_dynset.c
+++ b/net/netfilter/nft_dynset.c
@@ -81,7 +81,6 @@ void nft_dynset_eval(const struct nft_expr *expr,
const struct nft_dynset *priv = nft_expr_priv(expr);
struct nft_set *set = priv->set;
const struct nft_set_ext *ext;
- const struct nft_expr *sexpr;
u64 timeout;
if (priv->op == NFT_DYNSET_OP_DELETE) {
@@ -91,18 +90,13 @@ void nft_dynset_eval(const struct nft_expr *expr,
if (set->ops->update(set, ®s->data[priv->sreg_key], nft_dynset_new,
expr, regs, &ext)) {
- sexpr = NULL;
- if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
- sexpr = nft_set_ext_expr(ext);
-
if (priv->op == NFT_DYNSET_OP_UPDATE &&
nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
timeout = priv->timeout ? : set->timeout;
*nft_set_ext_expiration(ext) = get_jiffies_64() + timeout;
}
- if (sexpr != NULL)
- sexpr->ops->eval(sexpr, regs, pkt);
+ nft_set_elem_update_expr(ext, regs, pkt);
if (priv->invert)
regs->verdict.code = NFT_BREAK;
--
2.11.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 5/5] netfilter: nft_lookup: update element stateful expression
2020-03-11 14:30 [PATCH 0/5 nf-next,v2] enhance stateful expression support Pablo Neira Ayuso
` (3 preceding siblings ...)
2020-03-11 14:30 ` [PATCH 4/5] netfilter: nf_tables: add nft_set_elem_update_expr() helper function Pablo Neira Ayuso
@ 2020-03-11 14:30 ` Pablo Neira Ayuso
4 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2020-03-11 14:30 UTC (permalink / raw)
To: netfilter-devel
If the set element comes with an stateful expression, update it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nft_lookup.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/netfilter/nft_lookup.c b/net/netfilter/nft_lookup.c
index 660bad688e2b..1e70359d633c 100644
--- a/net/netfilter/nft_lookup.c
+++ b/net/netfilter/nft_lookup.c
@@ -43,6 +43,7 @@ void nft_lookup_eval(const struct nft_expr *expr,
nft_data_copy(®s->data[priv->dreg],
nft_set_ext_data(ext), set->dlen);
+ nft_set_elem_update_expr(ext, regs, pkt);
}
static const struct nla_policy nft_lookup_policy[NFTA_LOOKUP_MAX + 1] = {
--
2.11.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH 2/5] netfilter: nf_tables: remove EXPORT_SYMBOL_GPL for nft_expr_init()
2020-03-11 14:30 ` [PATCH 2/5] netfilter: nf_tables: remove EXPORT_SYMBOL_GPL for nft_expr_init() Pablo Neira Ayuso
@ 2020-03-15 14:33 ` Pablo Neira Ayuso
0 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2020-03-15 14:33 UTC (permalink / raw)
To: netfilter-devel
On Wed, Mar 11, 2020 at 03:30:13PM +0100, Pablo Neira Ayuso wrote:
> Not exposed anymore to modules, remove it.
This patch subject is not correct, there is no EXPORT_SYMBOL_GPL
removal.
Instead, this statifies the nft_expr_init() symbol.
I'm going to fix this here before applying.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2020-03-15 14:33 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-11 14:30 [PATCH 0/5 nf-next,v2] enhance stateful expression support Pablo Neira Ayuso
2020-03-11 14:30 ` [PATCH 1/5] netfilter: nf_tables: add nft_set_elem_expr_alloc() Pablo Neira Ayuso
2020-03-11 14:30 ` [PATCH 2/5] netfilter: nf_tables: remove EXPORT_SYMBOL_GPL for nft_expr_init() Pablo Neira Ayuso
2020-03-15 14:33 ` Pablo Neira Ayuso
2020-03-11 14:30 ` [PATCH 3/5] netfilter: nf_tables: add elements with stateful expressions Pablo Neira Ayuso
2020-03-11 14:30 ` [PATCH 4/5] netfilter: nf_tables: add nft_set_elem_update_expr() helper function Pablo Neira Ayuso
2020-03-11 14:30 ` [PATCH 5/5] netfilter: nft_lookup: update element stateful expression Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).