Netfilter-Devel Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH nf-next 0/5,v2] nftables: support for implicit chains binding
@ 2020-06-29 21:03 Pablo Neira Ayuso
  2020-06-29 21:03 ` [PATCH nf-next 1/5] netfilter: nf_tables: add NFTA_RULE_CHAIN_ID attribute Pablo Neira Ayuso
                   ` (4 more replies)
  0 siblings, 5 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2020-06-29 21:03 UTC (permalink / raw)
  To: netfilter-devel

Hi,

This is a second version for the patch series entitled:

	"support for anonymous non-base chains in nftables" [1]

Changes since last patchset are:

* The kernel dynamically allocates the (internal) chain name, unless
  userspace provides an chain name.

* Remove the chain from the lists and decrement the reference counters
  before the commit path (from nft_data_release() path). This
  ensures no ongoing netlink dump over the chain list ends up walking over
  a chain object while being released.

* Add nft_chain_add() in a new patch to re-add the chain into the list
  if the preparation phase fails, given that nft_data_release() now
  zaps the chain from the list.

[1] https://marc.info/?l=netfilter-devel&m=159310902001476&w=2

Pablo Neira Ayuso (5):
  netfilter: nf_tables: add NFTA_RULE_CHAIN_ID attribute
  netfilter: nf_tables: add NFTA_VERDICT_CHAIN_ID attribute
  netfilter: nf_tables: expose enum nft_chain_flags through UAPI
  netfilter: nf_tables: add nft_chain_add()
  netfilter: nf_tables: add NFT_CHAIN_BINDING

 include/net/netfilter/nf_tables.h        |  20 ++-
 include/uapi/linux/netfilter/nf_tables.h |   9 ++
 net/netfilter/nf_tables_api.c            | 158 +++++++++++++++++++----
 net/netfilter/nft_immediate.c            |  51 ++++++++
 4 files changed, 204 insertions(+), 34 deletions(-)

-- 
2.20.1


^ permalink raw reply	[flat|nested] 7+ messages in thread

* [PATCH nf-next 1/5] netfilter: nf_tables: add NFTA_RULE_CHAIN_ID attribute
  2020-06-29 21:03 [PATCH nf-next 0/5,v2] nftables: support for implicit chains binding Pablo Neira Ayuso
@ 2020-06-29 21:03 ` Pablo Neira Ayuso
  2020-06-30 10:24   ` kernel test robot
  2020-06-29 21:03 ` [PATCH nf-next 2/5] netfilter: nf_tables: add NFTA_VERDICT_CHAIN_ID attribute Pablo Neira Ayuso
                   ` (3 subsequent siblings)
  4 siblings, 1 reply; 7+ messages in thread
From: Pablo Neira Ayuso @ 2020-06-29 21:03 UTC (permalink / raw)
  To: netfilter-devel

This new netlink attribute allows you to add rules to chains by the
chain ID.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/uapi/linux/netfilter/nf_tables.h |  1 +
 net/netfilter/nf_tables_api.c            | 36 +++++++++++++++++++++---
 2 files changed, 33 insertions(+), 4 deletions(-)

diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index 477779595b78..2304d1b7ba5e 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -240,6 +240,7 @@ enum nft_rule_attributes {
 	NFTA_RULE_PAD,
 	NFTA_RULE_ID,
 	NFTA_RULE_POSITION_ID,
+	NFTA_RULE_CHAIN_ID,
 	__NFTA_RULE_MAX
 };
 #define NFTA_RULE_MAX		(__NFTA_RULE_MAX - 1)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 650ef0dd0773..fbe8f9209813 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -2153,6 +2153,22 @@ static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
 	return err;
 }
 
+static struct nft_chain *nft_chain_lookup_byid(const struct net *net,
+					       const struct nlattr *nla)
+{
+	u32 id = ntohl(nla_get_be32(nla));
+	struct nft_trans *trans;
+
+	list_for_each_entry(trans, &net->nft.commit_list, list) {
+		struct nft_chain *chain = trans->ctx.chain;
+
+		if (trans->msg_type == NFT_MSG_NEWCHAIN &&
+		    id == nft_trans_chain_id(trans))
+			return chain;
+	}
+	return ERR_PTR(-ENOENT);
+}
+
 static int nf_tables_newchain(struct net *net, struct sock *nlsk,
 			      struct sk_buff *skb, const struct nlmsghdr *nlh,
 			      const struct nlattr * const nla[],
@@ -2633,6 +2649,7 @@ static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
 				    .len = NFT_USERDATA_MAXLEN },
 	[NFTA_RULE_ID]		= { .type = NLA_U32 },
 	[NFTA_RULE_POSITION_ID]	= { .type = NLA_U32 },
+	[NFTA_RULE_CHAIN_ID]	= { .type = NLA_U32 },
 };
 
 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
@@ -3039,10 +3056,21 @@ static int nf_tables_newrule(struct net *net, struct sock *nlsk,
 		return PTR_ERR(table);
 	}
 
-	chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
-	if (IS_ERR(chain)) {
-		NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
-		return PTR_ERR(chain);
+	if (nla[NFTA_RULE_CHAIN]) {
+		chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
+					 genmask);
+		if (IS_ERR(chain)) {
+			NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
+			return PTR_ERR(chain);
+		}
+	} else if (nla[NFTA_RULE_CHAIN_ID]) {
+		chain = nft_chain_lookup_byid(net, nla[NFTA_RULE_CHAIN_ID]);
+		if (IS_ERR(chain)) {
+			NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN_ID]);
+			return PTR_ERR(chain);
+		}
+	} else {
+		return -EINVAL;
 	}
 
 	if (nla[NFTA_RULE_HANDLE]) {
-- 
2.20.1


^ permalink raw reply	[flat|nested] 7+ messages in thread

* [PATCH nf-next 2/5] netfilter: nf_tables: add NFTA_VERDICT_CHAIN_ID attribute
  2020-06-29 21:03 [PATCH nf-next 0/5,v2] nftables: support for implicit chains binding Pablo Neira Ayuso
  2020-06-29 21:03 ` [PATCH nf-next 1/5] netfilter: nf_tables: add NFTA_RULE_CHAIN_ID attribute Pablo Neira Ayuso
@ 2020-06-29 21:03 ` Pablo Neira Ayuso
  2020-06-29 21:03 ` [PATCH nf-next 3/5] netfilter: nf_tables: expose enum nft_chain_flags through UAPI Pablo Neira Ayuso
                   ` (2 subsequent siblings)
  4 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2020-06-29 21:03 UTC (permalink / raw)
  To: netfilter-devel

This netlink attribute allows you to identify the chain to jump/goto by
means of the chain ID.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/uapi/linux/netfilter/nf_tables.h |  2 ++
 net/netfilter/nf_tables_api.c            | 16 +++++++++++++---
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index 2304d1b7ba5e..683e75126d68 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -471,11 +471,13 @@ enum nft_data_attributes {
  *
  * @NFTA_VERDICT_CODE: nf_tables verdict (NLA_U32: enum nft_verdicts)
  * @NFTA_VERDICT_CHAIN: jump target chain name (NLA_STRING)
+ * @NFTA_VERDICT_CHAIN_ID: jump target chain ID (NLA_U32)
  */
 enum nft_verdict_attributes {
 	NFTA_VERDICT_UNSPEC,
 	NFTA_VERDICT_CODE,
 	NFTA_VERDICT_CHAIN,
+	NFTA_VERDICT_CHAIN_ID,
 	__NFTA_VERDICT_MAX
 };
 #define NFTA_VERDICT_MAX	(__NFTA_VERDICT_MAX - 1)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index fbe8f9209813..9be978788aef 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -8242,6 +8242,7 @@ static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
 	[NFTA_VERDICT_CODE]	= { .type = NLA_U32 },
 	[NFTA_VERDICT_CHAIN]	= { .type = NLA_STRING,
 				    .len = NFT_CHAIN_MAXNAMELEN - 1 },
+	[NFTA_VERDICT_CHAIN_ID]	= { .type = NLA_U32 },
 };
 
 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
@@ -8278,10 +8279,19 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
 		break;
 	case NFT_JUMP:
 	case NFT_GOTO:
-		if (!tb[NFTA_VERDICT_CHAIN])
+		if (tb[NFTA_VERDICT_CHAIN]) {
+			chain = nft_chain_lookup(ctx->net, ctx->table,
+						 tb[NFTA_VERDICT_CHAIN],
+						 genmask);
+		} else if (tb[NFTA_VERDICT_CHAIN_ID]) {
+			chain = nft_chain_lookup_byid(ctx->net,
+						      tb[NFTA_VERDICT_CHAIN_ID]);
+			if (chain->use != 0)
+				return -EBUSY;
+		} else {
 			return -EINVAL;
-		chain = nft_chain_lookup(ctx->net, ctx->table,
-					 tb[NFTA_VERDICT_CHAIN], genmask);
+		}
+
 		if (IS_ERR(chain))
 			return PTR_ERR(chain);
 		if (nft_is_base_chain(chain))
-- 
2.20.1


^ permalink raw reply	[flat|nested] 7+ messages in thread

* [PATCH nf-next 3/5] netfilter: nf_tables: expose enum nft_chain_flags through UAPI
  2020-06-29 21:03 [PATCH nf-next 0/5,v2] nftables: support for implicit chains binding Pablo Neira Ayuso
  2020-06-29 21:03 ` [PATCH nf-next 1/5] netfilter: nf_tables: add NFTA_RULE_CHAIN_ID attribute Pablo Neira Ayuso
  2020-06-29 21:03 ` [PATCH nf-next 2/5] netfilter: nf_tables: add NFTA_VERDICT_CHAIN_ID attribute Pablo Neira Ayuso
@ 2020-06-29 21:03 ` Pablo Neira Ayuso
  2020-06-29 21:03 ` [PATCH nf-next 4/5] netfilter: nf_tables: add nft_chain_add() Pablo Neira Ayuso
  2020-06-29 21:03 ` [PATCH nf-next 5/5] netfilter: nf_tables: add NFT_CHAIN_BINDING Pablo Neira Ayuso
  4 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2020-06-29 21:03 UTC (permalink / raw)
  To: netfilter-devel

This enum definition was never exposed through UAPI. Rename
NFT_BASE_CHAIN to NFT_CHAIN_BASE for consistency.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/net/netfilter/nf_tables.h        | 7 +------
 include/uapi/linux/netfilter/nf_tables.h | 5 +++++
 net/netfilter/nf_tables_api.c            | 4 ++--
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 3e5226684017..6d1e7da6e00a 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -921,11 +921,6 @@ static inline void nft_set_elem_update_expr(const struct nft_set_ext *ext,
 	     (expr) != (last); \
 	     (expr) = nft_expr_next(expr))
 
-enum nft_chain_flags {
-	NFT_BASE_CHAIN			= 0x1,
-	NFT_CHAIN_HW_OFFLOAD		= 0x2,
-};
-
 #define NFT_CHAIN_POLICY_UNSET		U8_MAX
 
 /**
@@ -1036,7 +1031,7 @@ static inline struct nft_base_chain *nft_base_chain(const struct nft_chain *chai
 
 static inline bool nft_is_base_chain(const struct nft_chain *chain)
 {
-	return chain->flags & NFT_BASE_CHAIN;
+	return chain->flags & NFT_CHAIN_BASE;
 }
 
 int __nft_release_basechain(struct nft_ctx *ctx);
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index 683e75126d68..2cf7cc3b50c1 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -184,6 +184,11 @@ enum nft_table_attributes {
 };
 #define NFTA_TABLE_MAX		(__NFTA_TABLE_MAX - 1)
 
+enum nft_chain_flags {
+	NFT_CHAIN_BASE		= (1 << 0),
+	NFT_CHAIN_HW_OFFLOAD	= (1 << 1),
+};
+
 /**
  * enum nft_chain_attributes - nf_tables chain netlink attributes
  *
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 9be978788aef..03fc2538e7c9 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1903,7 +1903,7 @@ static int nft_basechain_init(struct nft_base_chain *basechain, u8 family,
 		nft_basechain_hook_init(&basechain->ops, family, hook, chain);
 	}
 
-	chain->flags |= NFT_BASE_CHAIN | flags;
+	chain->flags |= NFT_CHAIN_BASE | flags;
 	basechain->policy = NF_ACCEPT;
 	if (chain->flags & NFT_CHAIN_HW_OFFLOAD &&
 	    nft_chain_offload_priority(basechain) < 0)
@@ -2255,7 +2255,7 @@ static int nf_tables_newchain(struct net *net, struct sock *nlsk,
 		if (nlh->nlmsg_flags & NLM_F_REPLACE)
 			return -EOPNOTSUPP;
 
-		flags |= chain->flags & NFT_BASE_CHAIN;
+		flags |= chain->flags & NFT_CHAIN_BASE;
 		return nf_tables_updchain(&ctx, genmask, policy, flags);
 	}
 
-- 
2.20.1


^ permalink raw reply	[flat|nested] 7+ messages in thread

* [PATCH nf-next 4/5] netfilter: nf_tables: add nft_chain_add()
  2020-06-29 21:03 [PATCH nf-next 0/5,v2] nftables: support for implicit chains binding Pablo Neira Ayuso
                   ` (2 preceding siblings ...)
  2020-06-29 21:03 ` [PATCH nf-next 3/5] netfilter: nf_tables: expose enum nft_chain_flags through UAPI Pablo Neira Ayuso
@ 2020-06-29 21:03 ` Pablo Neira Ayuso
  2020-06-29 21:03 ` [PATCH nf-next 5/5] netfilter: nf_tables: add NFT_CHAIN_BINDING Pablo Neira Ayuso
  4 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2020-06-29 21:03 UTC (permalink / raw)
  To: netfilter-devel

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_tables_api.c | 28 ++++++++++++++++++++--------
 1 file changed, 20 insertions(+), 8 deletions(-)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 03fc2538e7c9..572f049d7de4 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1914,6 +1914,20 @@ static int nft_basechain_init(struct nft_base_chain *basechain, u8 family,
 	return 0;
 }
 
+static int nft_chain_add(struct nft_table *table, struct nft_chain *chain)
+{
+	int err;
+
+	err = rhltable_insert_key(&table->chains_ht, chain->name,
+				  &chain->rhlhead, nft_chain_ht_params);
+	if (err)
+		return err;
+
+	list_add_tail_rcu(&chain->list, &table->chains);
+
+	return 0;
+}
+
 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
 			      u8 policy, u32 flags)
 {
@@ -1991,16 +2005,9 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
 	if (err < 0)
 		goto err1;
 
-	err = rhltable_insert_key(&table->chains_ht, chain->name,
-				  &chain->rhlhead, nft_chain_ht_params);
-	if (err)
-		goto err2;
-
 	trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
 	if (IS_ERR(trans)) {
 		err = PTR_ERR(trans);
-		rhltable_remove(&table->chains_ht, &chain->rhlhead,
-				nft_chain_ht_params);
 		goto err2;
 	}
 
@@ -2008,8 +2015,13 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
 	if (nft_is_base_chain(chain))
 		nft_trans_chain_policy(trans) = policy;
 
+	err = nft_chain_add(table, chain);
+	if (err < 0) {
+		nft_trans_destroy(trans);
+		goto err2;
+	}
+
 	table->use++;
-	list_add_tail_rcu(&chain->list, &table->chains);
 
 	return 0;
 err2:
-- 
2.20.1


^ permalink raw reply	[flat|nested] 7+ messages in thread

* [PATCH nf-next 5/5] netfilter: nf_tables: add NFT_CHAIN_BINDING
  2020-06-29 21:03 [PATCH nf-next 0/5,v2] nftables: support for implicit chains binding Pablo Neira Ayuso
                   ` (3 preceding siblings ...)
  2020-06-29 21:03 ` [PATCH nf-next 4/5] netfilter: nf_tables: add nft_chain_add() Pablo Neira Ayuso
@ 2020-06-29 21:03 ` Pablo Neira Ayuso
  4 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2020-06-29 21:03 UTC (permalink / raw)
  To: netfilter-devel

This new chain flag specifies that:

* the kernel dynamically allocates the chain name, if no chain name
  is specified.

* If the immediate expression that refers to this chain is removed,
  then this bound chain (and its content) is destroyed.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/net/netfilter/nf_tables.h        | 13 ++++-
 include/uapi/linux/netfilter/nf_tables.h |  1 +
 net/netfilter/nf_tables_api.c            | 74 ++++++++++++++++++++----
 net/netfilter/nft_immediate.c            | 51 ++++++++++++++++
 4 files changed, 128 insertions(+), 11 deletions(-)

diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 6d1e7da6e00a..0ebbe000bb0a 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -899,6 +899,8 @@ static inline struct nft_userdata *nft_userdata(const struct nft_rule *rule)
 	return (void *)&rule->data[rule->dlen];
 }
 
+void nf_tables_rule_destroy(const struct nft_ctx *ctx, struct nft_rule *rule);
+
 static inline void nft_set_elem_update_expr(const struct nft_set_ext *ext,
 					    struct nft_regs *regs,
 					    const struct nft_pktinfo *pkt)
@@ -944,7 +946,8 @@ struct nft_chain {
 	struct nft_table		*table;
 	u64				handle;
 	u32				use;
-	u8				flags:6,
+	u8				flags:5,
+					bound:1,
 					genmask:2;
 	char				*name;
 
@@ -989,6 +992,14 @@ int nft_chain_validate_dependency(const struct nft_chain *chain,
 int nft_chain_validate_hooks(const struct nft_chain *chain,
                              unsigned int hook_flags);
 
+static inline bool nft_chain_is_bound(struct nft_chain *chain)
+{
+	return (chain->flags & NFT_CHAIN_BINDING) && chain->bound;
+}
+
+void nft_chain_del(struct nft_chain *chain);
+void nf_tables_chain_destroy(struct nft_ctx *ctx);
+
 struct nft_stats {
 	u64			bytes;
 	u64			pkts;
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index 2cf7cc3b50c1..e00b4ae6174e 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -187,6 +187,7 @@ enum nft_table_attributes {
 enum nft_chain_flags {
 	NFT_CHAIN_BASE		= (1 << 0),
 	NFT_CHAIN_HW_OFFLOAD	= (1 << 1),
+	NFT_CHAIN_BINDING	= (1 << 2),
 };
 
 /**
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 572f049d7de4..e679f7e409c3 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1098,6 +1098,9 @@ static int nft_flush_table(struct nft_ctx *ctx)
 		if (!nft_is_active_next(ctx->net, chain))
 			continue;
 
+		if (nft_chain_is_bound(chain))
+			continue;
+
 		ctx->chain = chain;
 
 		err = nft_delchain(ctx);
@@ -1414,9 +1417,8 @@ static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
 		if (nft_dump_stats(skb, stats))
 			goto nla_put_failure;
 
-		if ((chain->flags & NFT_CHAIN_HW_OFFLOAD) &&
-		    nla_put_be32(skb, NFTA_CHAIN_FLAGS,
-				 htonl(NFT_CHAIN_HW_OFFLOAD)))
+		if (chain->flags &&
+		    nla_put_be32(skb, NFTA_CHAIN_FLAGS, htons(chain->flags)))
 			goto nla_put_failure;
 	}
 
@@ -1621,7 +1623,7 @@ static void nf_tables_chain_free_chain_rules(struct nft_chain *chain)
 	kvfree(chain->rules_next);
 }
 
-static void nf_tables_chain_destroy(struct nft_ctx *ctx)
+void nf_tables_chain_destroy(struct nft_ctx *ctx)
 {
 	struct nft_chain *chain = ctx->chain;
 	struct nft_hook *hook, *next;
@@ -1928,6 +1930,8 @@ static int nft_chain_add(struct nft_table *table, struct nft_chain *chain)
 	return 0;
 }
 
+static u64 chain_id;
+
 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
 			      u8 policy, u32 flags)
 {
@@ -1936,6 +1940,7 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
 	struct nft_base_chain *basechain;
 	struct nft_stats __percpu *stats;
 	struct net *net = ctx->net;
+	char name[NFT_NAME_MAXLEN];
 	struct nft_trans *trans;
 	struct nft_chain *chain;
 	struct nft_rule **rules;
@@ -1947,6 +1952,9 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
 	if (nla[NFTA_CHAIN_HOOK]) {
 		struct nft_chain_hook hook;
 
+		if (flags & NFT_CHAIN_BINDING)
+			return -EOPNOTSUPP;
+
 		err = nft_chain_parse_hook(net, nla, &hook, family, true);
 		if (err < 0)
 			return err;
@@ -1976,16 +1984,33 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
 			return err;
 		}
 	} else {
+		if (flags & NFT_CHAIN_BASE)
+			return -EINVAL;
+		if (flags & NFT_CHAIN_HW_OFFLOAD)
+			return -EOPNOTSUPP;
+
 		chain = kzalloc(sizeof(*chain), GFP_KERNEL);
 		if (chain == NULL)
 			return -ENOMEM;
+
+		chain->flags = flags;
 	}
 	ctx->chain = chain;
 
 	INIT_LIST_HEAD(&chain->rules);
 	chain->handle = nf_tables_alloc_handle(table);
 	chain->table = table;
-	chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
+
+	if (nla[NFTA_CHAIN_NAME]) {
+		chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
+	} else {
+		if (!(flags & NFT_CHAIN_BINDING))
+			return -EINVAL;
+
+		snprintf(name, sizeof(name), "__chain%llu", ++chain_id);
+		chain->name = kstrdup(name, GFP_KERNEL);
+	}
+
 	if (!chain->name) {
 		err = -ENOMEM;
 		goto err1;
@@ -2958,8 +2983,7 @@ static int nf_tables_getrule(struct net *net, struct sock *nlsk,
 	return err;
 }
 
-static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
-				   struct nft_rule *rule)
+void nf_tables_rule_destroy(const struct nft_ctx *ctx, struct nft_rule *rule)
 {
 	struct nft_expr *expr, *next;
 
@@ -5330,11 +5354,24 @@ static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
  */
 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
 {
+	struct nft_chain *chain;
+	struct nft_rule *rule;
+
 	if (type == NFT_DATA_VERDICT) {
 		switch (data->verdict.code) {
 		case NFT_JUMP:
 		case NFT_GOTO:
-			data->verdict.chain->use++;
+			chain = data->verdict.chain;
+			chain->use++;
+
+			if (!nft_chain_is_bound(chain))
+				break;
+
+			chain->table->use++;
+			list_for_each_entry(rule, &chain->rules, list)
+				chain->use++;
+
+			nft_chain_add(chain->table, chain);
 			break;
 		}
 	}
@@ -7474,7 +7511,7 @@ static void nft_obj_del(struct nft_object *obj)
 	list_del_rcu(&obj->list);
 }
 
-static void nft_chain_del(struct nft_chain *chain)
+void nft_chain_del(struct nft_chain *chain)
 {
 	struct nft_table *table = chain->table;
 
@@ -7825,6 +7862,10 @@ static int __nf_tables_abort(struct net *net, bool autoload)
 				kfree(nft_trans_chain_name(trans));
 				nft_trans_destroy(trans);
 			} else {
+				if (nft_chain_is_bound(trans->ctx.chain)) {
+					nft_trans_destroy(trans);
+					break;
+				}
 				trans->ctx.table->use--;
 				nft_chain_del(trans->ctx.chain);
 				nf_tables_unregister_hook(trans->ctx.net,
@@ -8321,10 +8362,23 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
 
 static void nft_verdict_uninit(const struct nft_data *data)
 {
+	struct nft_chain *chain;
+	struct nft_rule *rule;
+
 	switch (data->verdict.code) {
 	case NFT_JUMP:
 	case NFT_GOTO:
-		data->verdict.chain->use--;
+		chain = data->verdict.chain;
+		chain->use--;
+
+		if (!nft_chain_is_bound(chain))
+			break;
+
+		chain->table->use--;
+		list_for_each_entry(rule, &chain->rules, list)
+			chain->use--;
+
+		nft_chain_del(chain);
 		break;
 	}
 }
diff --git a/net/netfilter/nft_immediate.c b/net/netfilter/nft_immediate.c
index c7f0ef73d939..255603df1789 100644
--- a/net/netfilter/nft_immediate.c
+++ b/net/netfilter/nft_immediate.c
@@ -54,6 +54,23 @@ static int nft_immediate_init(const struct nft_ctx *ctx,
 	if (err < 0)
 		goto err1;
 
+	if (priv->dreg == NFT_REG_VERDICT) {
+		struct nft_chain *chain = priv->data.verdict.chain;
+
+		switch (priv->data.verdict.code) {
+		case NFT_JUMP:
+		case NFT_GOTO:
+			if (nft_chain_is_bound(chain)) {
+				err = -EBUSY;
+				goto err1;
+			}
+			chain->bound = true;
+			break;
+		default:
+			break;
+		}
+	}
+
 	return 0;
 
 err1:
@@ -81,6 +98,39 @@ static void nft_immediate_deactivate(const struct nft_ctx *ctx,
 	return nft_data_release(&priv->data, nft_dreg_to_type(priv->dreg));
 }
 
+static void nft_immediate_destroy(const struct nft_ctx *ctx,
+				  const struct nft_expr *expr)
+{
+	const struct nft_immediate_expr *priv = nft_expr_priv(expr);
+	const struct nft_data *data = &priv->data;
+	struct nft_ctx chain_ctx;
+	struct nft_chain *chain;
+	struct nft_rule *rule;
+
+	if (priv->dreg != NFT_REG_VERDICT)
+		return;
+
+	switch (data->verdict.code) {
+	case NFT_JUMP:
+	case NFT_GOTO:
+		chain = data->verdict.chain;
+
+		if (!nft_chain_is_bound(chain))
+			break;
+
+		chain_ctx = *ctx;
+		chain_ctx.chain = chain;
+
+		list_for_each_entry(rule, &chain->rules, list)
+			nf_tables_rule_destroy(&chain_ctx, rule);
+
+		nf_tables_chain_destroy(&chain_ctx);
+		break;
+	default:
+		break;
+	}
+}
+
 static int nft_immediate_dump(struct sk_buff *skb, const struct nft_expr *expr)
 {
 	const struct nft_immediate_expr *priv = nft_expr_priv(expr);
@@ -170,6 +220,7 @@ static const struct nft_expr_ops nft_imm_ops = {
 	.init		= nft_immediate_init,
 	.activate	= nft_immediate_activate,
 	.deactivate	= nft_immediate_deactivate,
+	.destroy	= nft_immediate_destroy,
 	.dump		= nft_immediate_dump,
 	.validate	= nft_immediate_validate,
 	.offload	= nft_immediate_offload,
-- 
2.20.1


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH nf-next 1/5] netfilter: nf_tables: add NFTA_RULE_CHAIN_ID attribute
  2020-06-29 21:03 ` [PATCH nf-next 1/5] netfilter: nf_tables: add NFTA_RULE_CHAIN_ID attribute Pablo Neira Ayuso
@ 2020-06-30 10:24   ` kernel test robot
  0 siblings, 0 replies; 7+ messages in thread
From: kernel test robot @ 2020-06-30 10:24 UTC (permalink / raw)
  To: Pablo Neira Ayuso, netfilter-devel; +Cc: kbuild-all, clang-built-linux


[-- Attachment #1: Type: text/plain, Size: 29373 bytes --]

Hi Pablo,

I love your patch! Yet something to improve:

[auto build test ERROR on nf-next/master]

url:    https://github.com/0day-ci/linux/commits/Pablo-Neira-Ayuso/netfilter-nf_tables-add-NFTA_RULE_CHAIN_ID-attribute/20200630-060423
base:   https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
config: mips-randconfig-r023-20200630 (attached as .config)
compiler: clang version 11.0.0 (https://github.com/llvm/llvm-project cf1d04484344be52ada8178e41d18fd15a9b880c)
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # install mips cross compiling tool for clang build
        # apt-get install binutils-mips-linux-gnu
        # save the attached .config to linux build tree
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross ARCH=mips 

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>

All errors (new ones prefixed by >>):

   size_t __const btrfs_get_num_csums(void);
          ^~~~~~~~
   In file included from fs/btrfs/orphan.c:6:
   fs/btrfs/ctree.h:2209:8: warning: 'const' type qualifier on return type has no effect [-Wignored-qualifiers]
   size_t __const btrfs_get_num_csums(void);
          ^~~~~~~~
   1 warning generated.
   1 warning generated.
   In file included from fs/btrfs/export.c:5:
   fs/btrfs/ctree.h:2209:8: warning: 'const' type qualifier on return type has no effect [-Wignored-qualifiers]
   size_t __const btrfs_get_num_csums(void);
          ^~~~~~~~
   net/ipv4/ah4.c:512:4: warning: format specifies type 'unsigned short' but the argument has type 'int' [-Wformat]
                           aalg_desc->uinfo.auth.icv_fullbits / 8);
                           ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   include/linux/printk.h:305:34: note: expanded from macro 'pr_info'
           printk(KERN_INFO pr_fmt(fmt), ##__VA_ARGS__)
                                   ~~~     ^~~~~~~~~~~
   fs/fat/dir.c:282: warning: Function parameter or member 'dir' not described in 'fat_parse_long'
   fs/fat/dir.c:282: warning: Function parameter or member 'pos' not described in 'fat_parse_long'
   fs/fat/dir.c:282: warning: Function parameter or member 'bh' not described in 'fat_parse_long'
   fs/fat/dir.c:282: warning: Function parameter or member 'de' not described in 'fat_parse_long'
   fs/fat/dir.c:282: warning: Function parameter or member 'unicode' not described in 'fat_parse_long'
   fs/fat/dir.c:282: warning: Function parameter or member 'nr_slots' not described in 'fat_parse_long'
   1 warning generated.
   1 warning generated.
   net/ipv4/esp4.c:1122:5: warning: format specifies type 'unsigned short' but the argument has type 'int' [-Wformat]
                                   aalg_desc->uinfo.auth.icv_fullbits / 8);
                                   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   include/linux/printk.h:305:34: note: expanded from macro 'pr_info'
           printk(KERN_INFO pr_fmt(fmt), ##__VA_ARGS__)
                                   ~~~     ^~~~~~~~~~~
   2 warnings generated.
   net/ipv6/esp6.c:811:5: warning: format specifies type 'unsigned short' but the argument has type 'int' [-Wformat]
                                   aalg_desc->uinfo.auth.icv_fullbits / 8);
                                   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   include/linux/printk.h:305:34: note: expanded from macro 'pr_info'
           printk(KERN_INFO pr_fmt(fmt), ##__VA_ARGS__)
                                   ~~~     ^~~~~~~~~~~
   2 warnings generated.
   1 warning generated.
   1 warning generated.
   fs/btrfs/zlib.c:36:19: warning: no previous prototype for function 'zlib_get_workspace' [-Wmissing-prototypes]
   struct list_head *zlib_get_workspace(unsigned int level)
                     ^
   fs/btrfs/zlib.c:36:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
   struct list_head *zlib_get_workspace(unsigned int level)
   ^
   static 
   fs/btrfs/zlib.c:46:6: warning: no previous prototype for function 'zlib_free_workspace' [-Wmissing-prototypes]
   void zlib_free_workspace(struct list_head *ws)
        ^
   fs/btrfs/zlib.c:46:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
   void zlib_free_workspace(struct list_head *ws)
   ^
   static 
   fs/btrfs/zlib.c:55:19: warning: no previous prototype for function 'zlib_alloc_workspace' [-Wmissing-prototypes]
   struct list_head *zlib_alloc_workspace(unsigned int level)
                     ^
   fs/btrfs/zlib.c:55:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
   struct list_head *zlib_alloc_workspace(unsigned int level)
   ^
   static 
   fs/btrfs/zlib.c:94:5: warning: no previous prototype for function 'zlib_compress_pages' [-Wmissing-prototypes]
   int zlib_compress_pages(struct list_head *ws, struct address_space *mapping,
       ^
   fs/btrfs/zlib.c:94:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
   int zlib_compress_pages(struct list_head *ws, struct address_space *mapping,
   ^
   static 
   fs/btrfs/zlib.c:277:5: warning: no previous prototype for function 'zlib_decompress_bio' [-Wmissing-prototypes]
   int zlib_decompress_bio(struct list_head *ws, struct compressed_bio *cb)
       ^
   fs/btrfs/zlib.c:277:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
   int zlib_decompress_bio(struct list_head *ws, struct compressed_bio *cb)
   ^
   static 
   fs/btrfs/zlib.c:368:5: warning: no previous prototype for function 'zlib_decompress' [-Wmissing-prototypes]
   int zlib_decompress(struct list_head *ws, unsigned char *data_in,
       ^
   fs/btrfs/zlib.c:368:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
   int zlib_decompress(struct list_head *ws, unsigned char *data_in,
   ^
   static 
   net/ipv6/ah6.c:709:4: warning: format specifies type 'unsigned short' but the argument has type 'int' [-Wformat]
                           aalg_desc->uinfo.auth.icv_fullbits/8);
                           ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   include/linux/printk.h:305:34: note: expanded from macro 'pr_info'
           printk(KERN_INFO pr_fmt(fmt), ##__VA_ARGS__)
                                   ~~~     ^~~~~~~~~~~
   In file included from fs/btrfs/free-space-cache.c:14:
   fs/btrfs/ctree.h:2209:8: warning: 'const' type qualifier on return type has no effect [-Wignored-qualifiers]
   size_t __const btrfs_get_num_csums(void);
          ^~~~~~~~
   6 warnings generated.
   In file included from fs/btrfs/tree-log.c:12:
   fs/btrfs/ctree.h:2209:8: warning: 'const' type qualifier on return type has no effect [-Wignored-qualifiers]
   size_t __const btrfs_get_num_csums(void);
          ^~~~~~~~
   1 warning generated.
>> net/netfilter/nf_tables_api.c:2159:13: error: implicit declaration of function 'nft_trans_chain_id' [-Werror,-Wimplicit-function-declaration]
                       id == nft_trans_chain_id(trans))
                             ^
   net/netfilter/nf_tables_api.c:2159:13: note: did you mean 'nft_trans_chain_add'?
   net/netfilter/nf_tables_api.c:275:26: note: 'nft_trans_chain_add' declared here
   static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
                            ^
   1 error generated.
   make[3]: *** [scripts/Makefile.build:266: net/netfilter/nf_tables_api.o] Error 1
   fs/freevxfs/vxfs_bmap.c:68: warning: Function parameter or member 'bn' not described in 'vxfs_bmap_ext4'
   fs/freevxfs/vxfs_bmap.c:68: warning: Excess function parameter 'iblock' description in 'vxfs_bmap_ext4'
   fs/btrfs/lzo.c:66:6: warning: no previous prototype for function 'lzo_free_workspace' [-Wmissing-prototypes]
   void lzo_free_workspace(struct list_head *ws)
        ^
   fs/btrfs/lzo.c:66:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
   void lzo_free_workspace(struct list_head *ws)
   ^
   static 
   fs/btrfs/lzo.c:76:19: warning: no previous prototype for function 'lzo_alloc_workspace' [-Wmissing-prototypes]
   struct list_head *lzo_alloc_workspace(unsigned int level)
                     ^
   fs/btrfs/lzo.c:76:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
   struct list_head *lzo_alloc_workspace(unsigned int level)
   ^
   static 
   fs/btrfs/lzo.c:114:5: warning: no previous prototype for function 'lzo_compress_pages' [-Wmissing-prototypes]
   int lzo_compress_pages(struct list_head *ws, struct address_space *mapping,
       ^
   fs/btrfs/lzo.c:114:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
   int lzo_compress_pages(struct list_head *ws, struct address_space *mapping,
   ^
   static 
   fs/btrfs/lzo.c:282:5: warning: no previous prototype for function 'lzo_decompress_bio' [-Wmissing-prototypes]
   int lzo_decompress_bio(struct list_head *ws, struct compressed_bio *cb)
       ^
   fs/btrfs/lzo.c:282:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
   int lzo_decompress_bio(struct list_head *ws, struct compressed_bio *cb)
   ^
   static 
   fs/btrfs/lzo.c:423:5: warning: no previous prototype for function 'lzo_decompress' [-Wmissing-prototypes]
   int lzo_decompress(struct list_head *ws, unsigned char *data_in,
       ^
   fs/btrfs/lzo.c:423:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
   int lzo_decompress(struct list_head *ws, unsigned char *data_in,
   ^
   static 
   fs/fat/misc.c:49: warning: Function parameter or member 'sb' not described in 'fat_msg'
   fs/fat/misc.c:49: warning: Function parameter or member 'level' not described in 'fat_msg'
   fs/fat/misc.c:49: warning: Function parameter or member 'fmt' not described in 'fat_msg'
   5 warnings generated.
   1 warning generated.
   net/ipv6/ip6_gre.c:848:20: warning: unused function 'ip6gre_tnl_addr_conflict' [-Wunused-function]
   static inline bool ip6gre_tnl_addr_conflict(const struct ip6_tnl *t,
                      ^
   fs/fat/nfs.c:24: warning: Function parameter or member 'sb' not described in 'fat_dget'
   fs/btrfs/free-space-cache.c:1263: warning: Function parameter or member 'root' not described in '__btrfs_write_out_cache'
   fs/btrfs/free-space-cache.c:1263: warning: Function parameter or member 'inode' not described in '__btrfs_write_out_cache'
   fs/btrfs/free-space-cache.c:1263: warning: Function parameter or member 'ctl' not described in '__btrfs_write_out_cache'
   fs/btrfs/free-space-cache.c:1263: warning: Function parameter or member 'block_group' not described in '__btrfs_write_out_cache'
   fs/btrfs/free-space-cache.c:1263: warning: Function parameter or member 'io_ctl' not described in '__btrfs_write_out_cache'
   fs/btrfs/free-space-cache.c:1263: warning: Function parameter or member 'trans' not described in '__btrfs_write_out_cache'
   fs/fat/nfs.c:24: warning: Function parameter or member 'i_logstart' not described in 'fat_dget'
   fs/fat/nfs.c:144: warning: Function parameter or member 'sb' not described in 'fat_fh_to_dentry'
   fs/fat/nfs.c:144: warning: Function parameter or member 'fid' not described in 'fat_fh_to_dentry'
   fs/fat/nfs.c:144: warning: Function parameter or member 'fh_len' not described in 'fat_fh_to_dentry'
   fs/fat/nfs.c:144: warning: Function parameter or member 'fh_type' not described in 'fat_fh_to_dentry'
   In file included from fs/btrfs/compression.c:22:
   fs/btrfs/ctree.h:2209:8: warning: 'const' type qualifier on return type has no effect [-Wignored-qualifiers]
   size_t __const btrfs_get_num_csums(void);
          ^~~~~~~~
   In file included from fs/btrfs/delayed-ref.c:9:
   fs/btrfs/ctree.h:2209:8: warning: 'const' type qualifier on return type has no effect [-Wignored-qualifiers]
   size_t __const btrfs_get_num_csums(void);
          ^~~~~~~~
   1 warning generated.
   In file included from fs/btrfs/zstd.c:22:
   fs/btrfs/ctree.h:2209:8: warning: 'const' type qualifier on return type has no effect [-Wignored-qualifiers]
   size_t __const btrfs_get_num_csums(void);
          ^~~~~~~~
   fs/btrfs/zstd.c:170:6: warning: no previous prototype for function 'zstd_init_workspace_manager' [-Wmissing-prototypes]
   void zstd_init_workspace_manager(void)
        ^
   fs/btrfs/zstd.c:170:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
   void zstd_init_workspace_manager(void)
   ^
   static 
   fs/btrfs/zstd.c:196:6: warning: no previous prototype for function 'zstd_cleanup_workspace_manager' [-Wmissing-prototypes]
   void zstd_cleanup_workspace_manager(void)
        ^
   fs/btrfs/zstd.c:196:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
   void zstd_cleanup_workspace_manager(void)
   ^
   static 
   fs/btrfs/zstd.c:263:19: warning: no previous prototype for function 'zstd_get_workspace' [-Wmissing-prototypes]
   struct list_head *zstd_get_workspace(unsigned int level)
                     ^
   fs/btrfs/zstd.c:263:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
   struct list_head *zstd_get_workspace(unsigned int level)
   ^
   static 
   fs/btrfs/zstd.c:304:6: warning: no previous prototype for function 'zstd_put_workspace' [-Wmissing-prototypes]
--
   net/tipc/node.c:139: warning: Function parameter or member 'peer_net' not described in 'tipc_node'
   net/tipc/node.c:139: warning: Function parameter or member 'peer_hash_mix' not described in 'tipc_node'
   net/tipc/node.c:271: warning: Function parameter or member '__n' not described in 'tipc_node_crypto_rx'
   net/tipc/node.c:809: warning: Function parameter or member 'n' not described in '__tipc_node_link_up'
   net/tipc/node.c:809: warning: Function parameter or member 'bearer_id' not described in '__tipc_node_link_up'
   net/tipc/node.c:809: warning: Function parameter or member 'xmitq' not described in '__tipc_node_link_up'
   net/tipc/node.c:875: warning: Function parameter or member 'n' not described in 'tipc_node_link_up'
   net/tipc/node.c:875: warning: Function parameter or member 'bearer_id' not described in 'tipc_node_link_up'
   net/tipc/node.c:875: warning: Function parameter or member 'xmitq' not described in 'tipc_node_link_up'
   net/tipc/node.c:934: warning: Function parameter or member 'n' not described in '__tipc_node_link_down'
   net/tipc/node.c:934: warning: Function parameter or member 'bearer_id' not described in '__tipc_node_link_down'
   net/tipc/node.c:934: warning: Function parameter or member 'xmitq' not described in '__tipc_node_link_down'
   net/tipc/node.c:934: warning: Function parameter or member 'maddr' not described in '__tipc_node_link_down'
   net/tipc/node.c:1522: warning: Function parameter or member 'net' not described in 'tipc_node_get_linkname'
   net/tipc/node.c:1522: warning: Function parameter or member 'addr' not described in 'tipc_node_get_linkname'
   net/tipc/node.c:1522: warning: Function parameter or member 'len' not described in 'tipc_node_get_linkname'
   net/tipc/node.c:1522: warning: Excess function parameter 'node' description in 'tipc_node_get_linkname'
   net/tipc/node.c:1864: warning: Function parameter or member 'n' not described in 'tipc_node_check_state'
   net/tipc/node.c:1864: warning: Function parameter or member 'xmitq' not described in 'tipc_node_check_state'
   net/tipc/node.c:2016: warning: Function parameter or member 'b' not described in 'tipc_rcv'
   net/tipc/node.c:2016: warning: Excess function parameter 'bearer' description in 'tipc_rcv'
   net/tipc/trace.c:43: warning: cannot understand function prototype: 'unsigned long sysctl_tipc_sk_filter[5] __read_mostly = '
   net/tipc/socket.c:131: warning: Function parameter or member 'cong_links' not described in 'tipc_sock'
   net/tipc/socket.c:131: warning: Function parameter or member 'probe_unacked' not described in 'tipc_sock'
   net/tipc/socket.c:131: warning: Function parameter or member 'snd_win' not described in 'tipc_sock'
   net/tipc/socket.c:131: warning: Function parameter or member 'peer_caps' not described in 'tipc_sock'
   net/tipc/socket.c:131: warning: Function parameter or member 'rcv_win' not described in 'tipc_sock'
   net/tipc/socket.c:131: warning: Function parameter or member 'group' not described in 'tipc_sock'
   net/tipc/socket.c:131: warning: Function parameter or member 'oneway' not described in 'tipc_sock'
   net/tipc/socket.c:131: warning: Function parameter or member 'nagle_start' not described in 'tipc_sock'
   net/tipc/socket.c:131: warning: Function parameter or member 'snd_backlog' not described in 'tipc_sock'
   net/tipc/socket.c:131: warning: Function parameter or member 'msg_acc' not described in 'tipc_sock'
   net/tipc/socket.c:131: warning: Function parameter or member 'pkt_cnt' not described in 'tipc_sock'
   net/tipc/socket.c:131: warning: Function parameter or member 'expect_ack' not described in 'tipc_sock'
   net/tipc/socket.c:131: warning: Function parameter or member 'nodelay' not described in 'tipc_sock'
   net/tipc/socket.c:131: warning: Function parameter or member 'group_is_open' not described in 'tipc_sock'
   net/tipc/socket.c:268: warning: Function parameter or member 'sk' not described in 'tsk_advance_rx_queue'
   net/tipc/socket.c:296: warning: Function parameter or member 'sk' not described in 'tsk_rej_rx_queue'
   net/tipc/socket.c:296: warning: Function parameter or member 'error' not described in 'tsk_rej_rx_queue'
   net/tipc/socket.c:725: warning: Excess function parameter 'uaddr_len' description in 'tipc_getname'
   net/tipc/socket.c:887: warning: Function parameter or member 'tsk' not described in 'tipc_send_group_msg'
   net/tipc/socket.c:1066: warning: Function parameter or member 'sock' not described in 'tipc_send_group_bcast'
   net/tipc/socket.c:1066: warning: Excess function parameter 'sk' description in 'tipc_send_group_bcast'
   net/tipc/socket.c:1180: warning: Function parameter or member 'net' not described in 'tipc_sk_mcast_rcv'
   net/tipc/socket.c:1316: warning: Function parameter or member 'inputq' not described in 'tipc_sk_conn_proto_rcv'
   net/tipc/socket.c:1316: warning: Function parameter or member 'xmitq' not described in 'tipc_sk_conn_proto_rcv'
   net/tipc/socket.c:1676: warning: Function parameter or member 'skb' not described in 'tipc_sk_set_orig_addr'
   net/tipc/socket.c:1676: warning: Excess function parameter 'hdr' description in 'tipc_sk_set_orig_addr'
   net/tipc/socket.c:1873: warning: Function parameter or member 'sock' not described in 'tipc_recvmsg'
   net/tipc/socket.c:1981: warning: Function parameter or member 'sock' not described in 'tipc_recvstream'
   net/tipc/socket.c:2096: warning: Excess function parameter 'len' description in 'tipc_data_ready'
   net/tipc/socket.c:2302: warning: Function parameter or member 'xmitq' not described in 'tipc_sk_filter_rcv'
   net/tipc/socket.c:2393: warning: Function parameter or member 'xmitq' not described in 'tipc_sk_enqueue'
   net/tipc/socket.c:2445: warning: Function parameter or member 'net' not described in 'tipc_sk_rcv'
   net/tipc/socket.c:2682: warning: Function parameter or member 'new_sock' not described in 'tipc_accept'
   net/tipc/socket.c:2682: warning: Function parameter or member 'kern' not described in 'tipc_accept'
   net/tipc/socket.c:2682: warning: Excess function parameter 'newsock' description in 'tipc_accept'
   net/tipc/crypto.c:51: warning: cannot understand function prototype: 'enum '
   net/tipc/crypto.c:63: warning: cannot understand function prototype: 'enum '
   net/tipc/crypto.c:114: warning: Function parameter or member 'pending' not described in 'tipc_key'
   net/tipc/crypto.c:114: warning: Function parameter or member 'active' not described in 'tipc_key'
   net/tipc/crypto.c:114: warning: Function parameter or member 'passive' not described in 'tipc_key'
   net/tipc/crypto.c:114: warning: Function parameter or member 'reserved' not described in 'tipc_key'
   net/tipc/crypto.c:114: warning: Function parameter or member 'keys' not described in 'tipc_key'
   net/tipc/crypto.c:122: warning: Function parameter or member 'tfm' not described in 'tipc_tfm'
   net/tipc/crypto.c:122: warning: Function parameter or member 'list' not described in 'tipc_tfm'
   net/tipc/crypto.c:153: warning: Function parameter or member 'hint' not described in 'tipc_aead'
   net/tipc/crypto.c:153: warning: Function parameter or member '____cacheline_aligned' not described in 'tipc_aead'
   net/tipc/crypto.c:160: warning: Function parameter or member 'stat' not described in 'tipc_crypto_stats'
   net/tipc/crypto.c:190: warning: Function parameter or member '____cacheline_aligned' not described in 'tipc_crypto'
   net/tipc/crypto.c:275: warning: Function parameter or member 'ukey' not described in 'tipc_aead_key_validate'
   net/tipc/crypto.c:401: warning: Function parameter or member 'aead' not described in 'tipc_aead_tfm_next'
   net/ipv4/ah4.c:512:4: warning: format specifies type 'unsigned short' but the argument has type 'int' [-Wformat]
                           aalg_desc->uinfo.auth.icv_fullbits / 8);
                           ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   include/linux/printk.h:305:34: note: expanded from macro 'pr_info'
           printk(KERN_INFO pr_fmt(fmt), ##__VA_ARGS__)
                                   ~~~     ^~~~~~~~~~~
   1 warning generated.
   net/ipv4/esp4.c:1122:5: warning: format specifies type 'unsigned short' but the argument has type 'int' [-Wformat]
                                   aalg_desc->uinfo.auth.icv_fullbits / 8);
                                   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   include/linux/printk.h:305:34: note: expanded from macro 'pr_info'
           printk(KERN_INFO pr_fmt(fmt), ##__VA_ARGS__)
                                   ~~~     ^~~~~~~~~~~
   net/ipv6/esp6.c:811:5: warning: format specifies type 'unsigned short' but the argument has type 'int' [-Wformat]
                                   aalg_desc->uinfo.auth.icv_fullbits / 8);
                                   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   include/linux/printk.h:305:34: note: expanded from macro 'pr_info'
           printk(KERN_INFO pr_fmt(fmt), ##__VA_ARGS__)
                                   ~~~     ^~~~~~~~~~~
   1 warning generated.
   1 warning generated.
   net/ipv6/ah6.c:709:4: warning: format specifies type 'unsigned short' but the argument has type 'int' [-Wformat]
                           aalg_desc->uinfo.auth.icv_fullbits/8);
                           ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   include/linux/printk.h:305:34: note: expanded from macro 'pr_info'
           printk(KERN_INFO pr_fmt(fmt), ##__VA_ARGS__)
                                   ~~~     ^~~~~~~~~~~
   1 warning generated.
>> net/netfilter/nf_tables_api.c:2159:13: error: implicit declaration of function 'nft_trans_chain_id' [-Werror,-Wimplicit-function-declaration]
                       id == nft_trans_chain_id(trans))
                             ^
   net/netfilter/nf_tables_api.c:2159:13: note: did you mean 'nft_trans_chain_add'?
   net/netfilter/nf_tables_api.c:275:26: note: 'nft_trans_chain_add' declared here
   static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
                            ^
   1 error generated.
   make[3]: *** [scripts/Makefile.build:266: net/netfilter/nf_tables_api.o] Error 1
   net/ipv6/ip6_gre.c:848:20: warning: unused function 'ip6gre_tnl_addr_conflict' [-Wunused-function]
   static inline bool ip6gre_tnl_addr_conflict(const struct ip6_tnl *t,
                      ^
   1 warning generated.
   net/ipv6/ip6_vti.c:138: warning: Function parameter or member 'ip6n' not described in 'vti6_tnl_bucket'
   net/wireless/wext-compat.c:229: warning: Excess function parameter 'dev' description in 'cfg80211_wext_freq'
   net/ipv6/ip6_tunnel.c:140: warning: Function parameter or member 'start' not described in 'for_each_ip6_tunnel_rcu'
   net/ipv6/ip6_tunnel.c:140: warning: Excess function parameter 'link' description in 'for_each_ip6_tunnel_rcu'
   net/ipv6/ip6_tunnel.c:140: warning: Excess function parameter 'remote' description in 'for_each_ip6_tunnel_rcu'
   net/ipv6/ip6_tunnel.c:140: warning: Excess function parameter 'local' description in 'for_each_ip6_tunnel_rcu'
   net/ipv6/ip6_tunnel.c:217: warning: Function parameter or member 'ip6n' not described in 'ip6_tnl_bucket'
   net/ipv6/ip6_tunnel.c:237: warning: Function parameter or member 'ip6n' not described in 'ip6_tnl_link'
   net/ipv6/ip6_tunnel.c:253: warning: Function parameter or member 'ip6n' not described in 'ip6_tnl_unlink'
   net/ipv6/ip6_tunnel.c:316: warning: Function parameter or member 'net' not described in 'ip6_tnl_create'
   net/ipv6/ip6_tunnel.c:316: warning: Excess function parameter 'pt' description in 'ip6_tnl_create'
   net/ipv6/ip6_tunnel.c:368: warning: Function parameter or member 'net' not described in 'ip6_tnl_locate'
   net/ipv6/ip6_tunnel.c:425: warning: Function parameter or member 'raw' not described in 'ip6_tnl_parse_tlv_enc_lim'
   net/ipv6/ip6_tunnel.c:497: warning: Function parameter or member 'skb' not described in 'ip6_tnl_err'
   net/ipv6/ip6_tunnel.c:497: warning: Function parameter or member 'ipproto' not described in 'ip6_tnl_err'
   net/ipv6/ip6_tunnel.c:497: warning: Function parameter or member 'opt' not described in 'ip6_tnl_err'
   net/ipv6/ip6_tunnel.c:497: warning: Function parameter or member 'type' not described in 'ip6_tnl_err'
   net/ipv6/ip6_tunnel.c:497: warning: Function parameter or member 'code' not described in 'ip6_tnl_err'
   net/ipv6/ip6_tunnel.c:497: warning: Function parameter or member 'msg' not described in 'ip6_tnl_err'
   net/ipv6/ip6_tunnel.c:497: warning: Function parameter or member 'info' not described in 'ip6_tnl_err'
   net/ipv6/ip6_tunnel.c:497: warning: Function parameter or member 'offset' not described in 'ip6_tnl_err'
   net/ipv4/tcp_lp.c:97: warning: Function parameter or member 'sk' not described in 'tcp_lp_init'
   net/ipv4/tcp_lp.c:120: warning: Function parameter or member 'sk' not described in 'tcp_lp_cong_avoid'
   net/ipv4/tcp_lp.c:120: warning: Function parameter or member 'ack' not described in 'tcp_lp_cong_avoid'
   net/ipv4/tcp_lp.c:120: warning: Function parameter or member 'acked' not described in 'tcp_lp_cong_avoid'
   net/ipv4/tcp_lp.c:135: warning: Function parameter or member 'sk' not described in 'tcp_lp_remote_hz_estimator'
   net/ipv4/tcp_lp.c:188: warning: Function parameter or member 'sk' not described in 'tcp_lp_owd_calculator'
   net/ipv4/tcp_lp.c:222: warning: Function parameter or member 'sk' not described in 'tcp_lp_rtt_sample'
   net/ipv4/tcp_lp.c:222: warning: Function parameter or member 'rtt' not described in 'tcp_lp_rtt_sample'
   net/ipv4/tcp_lp.c:265: warning: Function parameter or member 'sk' not described in 'tcp_lp_pkts_acked'
   net/ipv4/tcp_lp.c:265: warning: Function parameter or member 'sample' not described in 'tcp_lp_pkts_acked'
   net/sched/cls_flower.c:731:1: warning: unused variable 'mpls_opts_policy' [-Wunused-const-variable]
   mpls_opts_policy[TCA_FLOWER_KEY_MPLS_OPTS_MAX + 1] = {
   ^
   net/sched/cls_flower.c:298:12: warning: stack frame size of 1056 bytes in function 'fl_classify' [-Wframe-larger-than=]
   static int fl_classify(struct sk_buff *skb, const struct tcf_proto *tp,
              ^
   2 warnings generated.
   net/netfilter/nft_set_pipapo.c:413: warning: Function parameter or member 'key' not described in 'nft_pipapo_lookup'
   net/netfilter/nft_set_pipapo.c:413: warning: Excess function parameter 'elem' description in 'nft_pipapo_lookup'
   net/netfilter/nft_set_pipapo.c:1083: warning: Function parameter or member 'e' not described in 'pipapo_map'
   net/netfilter/nft_set_pipapo.c:1083: warning: Excess function parameter 'ext' description in 'pipapo_map'
   net/netfilter/nft_set_pipapo.c:1108: warning: Function parameter or member 'bsize_max' not described in 'pipapo_realloc_scratch'
   net/netfilter/nft_set_pipapo.c:1484: warning: Function parameter or member 'rulemap' not described in 'pipapo_drop'
   make[2]: *** [scripts/Makefile.build:488: net/netfilter] Error 2
   make[3]: Target '__build' not remade because of errors.
   make[2]: Target '__build' not remade because of errors.
..

vim +/nft_trans_chain_id +2159 net/netfilter/nf_tables_api.c

  2148	
  2149	static struct nft_chain *nft_chain_lookup_byid(const struct net *net,
  2150						       const struct nlattr *nla)
  2151	{
  2152		u32 id = ntohl(nla_get_be32(nla));
  2153		struct nft_trans *trans;
  2154	
  2155		list_for_each_entry(trans, &net->nft.commit_list, list) {
  2156			struct nft_chain *chain = trans->ctx.chain;
  2157	
  2158			if (trans->msg_type == NFT_MSG_NEWCHAIN &&
> 2159			    id == nft_trans_chain_id(trans))
  2160				return chain;
  2161		}
  2162		return ERR_PTR(-ENOENT);
  2163	}
  2164	

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org

[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 31430 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, back to index

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-06-29 21:03 [PATCH nf-next 0/5,v2] nftables: support for implicit chains binding Pablo Neira Ayuso
2020-06-29 21:03 ` [PATCH nf-next 1/5] netfilter: nf_tables: add NFTA_RULE_CHAIN_ID attribute Pablo Neira Ayuso
2020-06-30 10:24   ` kernel test robot
2020-06-29 21:03 ` [PATCH nf-next 2/5] netfilter: nf_tables: add NFTA_VERDICT_CHAIN_ID attribute Pablo Neira Ayuso
2020-06-29 21:03 ` [PATCH nf-next 3/5] netfilter: nf_tables: expose enum nft_chain_flags through UAPI Pablo Neira Ayuso
2020-06-29 21:03 ` [PATCH nf-next 4/5] netfilter: nf_tables: add nft_chain_add() Pablo Neira Ayuso
2020-06-29 21:03 ` [PATCH nf-next 5/5] netfilter: nf_tables: add NFT_CHAIN_BINDING Pablo Neira Ayuso

Netfilter-Devel Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/netfilter-devel/0 netfilter-devel/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 netfilter-devel netfilter-devel/ https://lore.kernel.org/netfilter-devel \
		netfilter-devel@vger.kernel.org
	public-inbox-index netfilter-devel

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.netfilter-devel


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git