* [PATCH nf] netfilter: nft_dynset: fix timeouts layer than 23 days
@ 2020-12-08 17:38 Pablo Neira Ayuso
2020-12-10 11:16 ` kernel test robot
0 siblings, 1 reply; 2+ messages in thread
From: Pablo Neira Ayuso @ 2020-12-08 17:38 UTC (permalink / raw)
To: netfilter-devel
Use nf_msecs_to_jiffies64 and nf_jiffies64_to_msecs as provided by
8e1102d5a159 ("netfilter: nf_tables: support timeouts larger than 23
days"), otherwise ruleset listing breaks.
Fixes: a8b1e36d0d1d ("netfilter: nft_dynset: fix element timeout for HZ != 1000")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/net/netfilter/nf_tables.h | 4 ++++
net/netfilter/nf_tables_api.c | 4 ++--
net/netfilter/nft_dynset.c | 5 ++---
3 files changed, 8 insertions(+), 5 deletions(-)
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 55b4cadf290a..c1c0a4ff92ae 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -1524,4 +1524,8 @@ void __init nft_chain_route_init(void);
void nft_chain_route_fini(void);
void nf_tables_trans_destroy_flush_work(void);
+
+int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result);
+__be64 nf_jiffies64_to_msecs(u64 input);
+
#endif /* _NET_NF_TABLES_H */
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 23abf1578594..c2f59879a48d 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -3719,7 +3719,7 @@ static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
return 0;
}
-static int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
+int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
{
u64 ms = be64_to_cpu(nla_get_be64(nla));
u64 max = (u64)(~((u64)0));
@@ -3733,7 +3733,7 @@ static int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
return 0;
}
-static __be64 nf_jiffies64_to_msecs(u64 input)
+__be64 nf_jiffies64_to_msecs(u64 input)
{
return cpu_to_be64(jiffies64_to_msecs(input));
}
diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c
index 64ca13a1885b..ca6cfbb27051 100644
--- a/net/netfilter/nft_dynset.c
+++ b/net/netfilter/nft_dynset.c
@@ -157,8 +157,7 @@ static int nft_dynset_init(const struct nft_ctx *ctx,
if (tb[NFTA_DYNSET_TIMEOUT] != NULL) {
if (!(set->flags & NFT_SET_TIMEOUT))
return -EINVAL;
- timeout = msecs_to_jiffies(be64_to_cpu(nla_get_be64(
- tb[NFTA_DYNSET_TIMEOUT])));
+ timeout = nf_msecs_to_jiffies(be64_to_cpu(nla_get_be64(tb[NFTA_DYNSET_TIMEOUT])));
}
priv->sreg_key = nft_parse_register(tb[NFTA_DYNSET_SREG_KEY]);
@@ -267,7 +266,7 @@ static int nft_dynset_dump(struct sk_buff *skb, const struct nft_expr *expr)
if (nla_put_string(skb, NFTA_DYNSET_SET_NAME, priv->set->name))
goto nla_put_failure;
if (nla_put_be64(skb, NFTA_DYNSET_TIMEOUT,
- cpu_to_be64(jiffies_to_msecs(priv->timeout)),
+ cpu_to_be64(nf_jiffies_to_msecs(priv->timeout)),
NFTA_DYNSET_PAD))
goto nla_put_failure;
if (priv->expr && nft_expr_dump(skb, NFTA_DYNSET_EXPR, priv->expr))
--
2.20.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH nf] netfilter: nft_dynset: fix timeouts layer than 23 days
2020-12-08 17:38 [PATCH nf] netfilter: nft_dynset: fix timeouts layer than 23 days Pablo Neira Ayuso
@ 2020-12-10 11:16 ` kernel test robot
0 siblings, 0 replies; 2+ messages in thread
From: kernel test robot @ 2020-12-10 11:16 UTC (permalink / raw)
To: Pablo Neira Ayuso, netfilter-devel; +Cc: kbuild-all
[-- Attachment #1: Type: text/plain, Size: 8939 bytes --]
Hi Pablo,
I love your patch! Yet something to improve:
[auto build test ERROR on nf/master]
url: https://github.com/0day-ci/linux/commits/Pablo-Neira-Ayuso/netfilter-nft_dynset-fix-timeouts-layer-than-23-days/20201209-014206
base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master
config: x86_64-rhel (attached as .config)
compiler: gcc-9 (Debian 9.3.0-15) 9.3.0
reproduce (this is a W=1 build):
# https://github.com/0day-ci/linux/commit/cecc29f4c0cd9cf5b095647a11c29b228de7939b
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review Pablo-Neira-Ayuso/netfilter-nft_dynset-fix-timeouts-layer-than-23-days/20201209-014206
git checkout cecc29f4c0cd9cf5b095647a11c29b228de7939b
# save the attached .config to linux build tree
make W=1 ARCH=x86_64
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
All errors (new ones prefixed by >>):
net/netfilter/nft_dynset.c: In function 'nft_dynset_init':
>> net/netfilter/nft_dynset.c:160:13: error: implicit declaration of function 'nf_msecs_to_jiffies'; did you mean 'nf_msecs_to_jiffies64'? [-Werror=implicit-function-declaration]
160 | timeout = nf_msecs_to_jiffies(be64_to_cpu(nla_get_be64(tb[NFTA_DYNSET_TIMEOUT])));
| ^~~~~~~~~~~~~~~~~~~
| nf_msecs_to_jiffies64
In file included from include/linux/swab.h:5,
from include/uapi/linux/byteorder/little_endian.h:13,
from include/linux/byteorder/little_endian.h:5,
from arch/x86/include/uapi/asm/byteorder.h:5,
from include/asm-generic/bitops/le.h:6,
from arch/x86/include/asm/bitops.h:395,
from include/linux/bitops.h:29,
from include/linux/kernel.h:12,
from net/netfilter/nft_dynset.c:6:
net/netfilter/nft_dynset.c: In function 'nft_dynset_dump':
>> net/netfilter/nft_dynset.c:269:17: error: implicit declaration of function 'nf_jiffies_to_msecs'; did you mean 'nf_jiffies64_to_msecs'? [-Werror=implicit-function-declaration]
269 | cpu_to_be64(nf_jiffies_to_msecs(priv->timeout)),
| ^~~~~~~~~~~~~~~~~~~
include/uapi/linux/swab.h:128:54: note: in definition of macro '__swab64'
128 | #define __swab64(x) (__u64)__builtin_bswap64((__u64)(x))
| ^
include/linux/byteorder/generic.h:92:21: note: in expansion of macro '__cpu_to_be64'
92 | #define cpu_to_be64 __cpu_to_be64
| ^~~~~~~~~~~~~
net/netfilter/nft_dynset.c:269:5: note: in expansion of macro 'cpu_to_be64'
269 | cpu_to_be64(nf_jiffies_to_msecs(priv->timeout)),
| ^~~~~~~~~~~
cc1: some warnings being treated as errors
vim +160 net/netfilter/nft_dynset.c
104
105 static int nft_dynset_init(const struct nft_ctx *ctx,
106 const struct nft_expr *expr,
107 const struct nlattr * const tb[])
108 {
109 struct nft_dynset *priv = nft_expr_priv(expr);
110 u8 genmask = nft_genmask_next(ctx->net);
111 struct nft_set *set;
112 u64 timeout;
113 int err;
114
115 lockdep_assert_held(&ctx->net->nft.commit_mutex);
116
117 if (tb[NFTA_DYNSET_SET_NAME] == NULL ||
118 tb[NFTA_DYNSET_OP] == NULL ||
119 tb[NFTA_DYNSET_SREG_KEY] == NULL)
120 return -EINVAL;
121
122 if (tb[NFTA_DYNSET_FLAGS]) {
123 u32 flags = ntohl(nla_get_be32(tb[NFTA_DYNSET_FLAGS]));
124
125 if (flags & ~NFT_DYNSET_F_INV)
126 return -EINVAL;
127 if (flags & NFT_DYNSET_F_INV)
128 priv->invert = true;
129 }
130
131 set = nft_set_lookup_global(ctx->net, ctx->table,
132 tb[NFTA_DYNSET_SET_NAME],
133 tb[NFTA_DYNSET_SET_ID], genmask);
134 if (IS_ERR(set))
135 return PTR_ERR(set);
136
137 if (set->ops->update == NULL)
138 return -EOPNOTSUPP;
139
140 if (set->flags & NFT_SET_CONSTANT)
141 return -EBUSY;
142
143 priv->op = ntohl(nla_get_be32(tb[NFTA_DYNSET_OP]));
144 switch (priv->op) {
145 case NFT_DYNSET_OP_ADD:
146 case NFT_DYNSET_OP_DELETE:
147 break;
148 case NFT_DYNSET_OP_UPDATE:
149 if (!(set->flags & NFT_SET_TIMEOUT))
150 return -EOPNOTSUPP;
151 break;
152 default:
153 return -EOPNOTSUPP;
154 }
155
156 timeout = 0;
157 if (tb[NFTA_DYNSET_TIMEOUT] != NULL) {
158 if (!(set->flags & NFT_SET_TIMEOUT))
159 return -EINVAL;
> 160 timeout = nf_msecs_to_jiffies(be64_to_cpu(nla_get_be64(tb[NFTA_DYNSET_TIMEOUT])));
161 }
162
163 priv->sreg_key = nft_parse_register(tb[NFTA_DYNSET_SREG_KEY]);
164 err = nft_validate_register_load(priv->sreg_key, set->klen);
165 if (err < 0)
166 return err;
167
168 if (tb[NFTA_DYNSET_SREG_DATA] != NULL) {
169 if (!(set->flags & NFT_SET_MAP))
170 return -EINVAL;
171 if (set->dtype == NFT_DATA_VERDICT)
172 return -EOPNOTSUPP;
173
174 priv->sreg_data = nft_parse_register(tb[NFTA_DYNSET_SREG_DATA]);
175 err = nft_validate_register_load(priv->sreg_data, set->dlen);
176 if (err < 0)
177 return err;
178 } else if (set->flags & NFT_SET_MAP)
179 return -EINVAL;
180
181 if (tb[NFTA_DYNSET_EXPR] != NULL) {
182 if (!(set->flags & NFT_SET_EVAL))
183 return -EINVAL;
184
185 priv->expr = nft_set_elem_expr_alloc(ctx, set,
186 tb[NFTA_DYNSET_EXPR]);
187 if (IS_ERR(priv->expr))
188 return PTR_ERR(priv->expr);
189
190 if (set->expr && set->expr->ops != priv->expr->ops) {
191 err = -EOPNOTSUPP;
192 goto err_expr_free;
193 }
194 }
195
196 nft_set_ext_prepare(&priv->tmpl);
197 nft_set_ext_add_length(&priv->tmpl, NFT_SET_EXT_KEY, set->klen);
198 if (set->flags & NFT_SET_MAP)
199 nft_set_ext_add_length(&priv->tmpl, NFT_SET_EXT_DATA, set->dlen);
200 if (priv->expr != NULL)
201 nft_set_ext_add_length(&priv->tmpl, NFT_SET_EXT_EXPR,
202 priv->expr->ops->size);
203 if (set->flags & NFT_SET_TIMEOUT) {
204 if (timeout || set->timeout)
205 nft_set_ext_add(&priv->tmpl, NFT_SET_EXT_EXPIRATION);
206 }
207
208 priv->timeout = timeout;
209
210 err = nf_tables_bind_set(ctx, set, &priv->binding);
211 if (err < 0)
212 goto err_expr_free;
213
214 if (set->size == 0)
215 set->size = 0xffff;
216
217 priv->set = set;
218 return 0;
219
220 err_expr_free:
221 if (priv->expr != NULL)
222 nft_expr_destroy(ctx, priv->expr);
223 return err;
224 }
225
226 static void nft_dynset_deactivate(const struct nft_ctx *ctx,
227 const struct nft_expr *expr,
228 enum nft_trans_phase phase)
229 {
230 struct nft_dynset *priv = nft_expr_priv(expr);
231
232 nf_tables_deactivate_set(ctx, priv->set, &priv->binding, phase);
233 }
234
235 static void nft_dynset_activate(const struct nft_ctx *ctx,
236 const struct nft_expr *expr)
237 {
238 struct nft_dynset *priv = nft_expr_priv(expr);
239
240 priv->set->use++;
241 }
242
243 static void nft_dynset_destroy(const struct nft_ctx *ctx,
244 const struct nft_expr *expr)
245 {
246 struct nft_dynset *priv = nft_expr_priv(expr);
247
248 if (priv->expr != NULL)
249 nft_expr_destroy(ctx, priv->expr);
250
251 nf_tables_destroy_set(ctx, priv->set);
252 }
253
254 static int nft_dynset_dump(struct sk_buff *skb, const struct nft_expr *expr)
255 {
256 const struct nft_dynset *priv = nft_expr_priv(expr);
257 u32 flags = priv->invert ? NFT_DYNSET_F_INV : 0;
258
259 if (nft_dump_register(skb, NFTA_DYNSET_SREG_KEY, priv->sreg_key))
260 goto nla_put_failure;
261 if (priv->set->flags & NFT_SET_MAP &&
262 nft_dump_register(skb, NFTA_DYNSET_SREG_DATA, priv->sreg_data))
263 goto nla_put_failure;
264 if (nla_put_be32(skb, NFTA_DYNSET_OP, htonl(priv->op)))
265 goto nla_put_failure;
266 if (nla_put_string(skb, NFTA_DYNSET_SET_NAME, priv->set->name))
267 goto nla_put_failure;
268 if (nla_put_be64(skb, NFTA_DYNSET_TIMEOUT,
> 269 cpu_to_be64(nf_jiffies_to_msecs(priv->timeout)),
270 NFTA_DYNSET_PAD))
271 goto nla_put_failure;
272 if (priv->expr && nft_expr_dump(skb, NFTA_DYNSET_EXPR, priv->expr))
273 goto nla_put_failure;
274 if (nla_put_be32(skb, NFTA_DYNSET_FLAGS, htonl(flags)))
275 goto nla_put_failure;
276 return 0;
277
278 nla_put_failure:
279 return -1;
280 }
281
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 45618 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-12-10 11:17 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-12-08 17:38 [PATCH nf] netfilter: nft_dynset: fix timeouts layer than 23 days Pablo Neira Ayuso
2020-12-10 11:16 ` kernel test robot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).