Skip to content

Commit 6001a93

Browse files
ummakynesummakynes
committed
netfilter: nftables: introduce table ownership
A userspace daemon like firewalld might need to monitor for netlink updates to detect its ruleset removal by the (global) flush ruleset command to ensure ruleset persistency. This adds extra complexity from userspace and, for some little time, the firewall policy is not in place. This patch adds the NFT_TABLE_F_OWNER flag which allows a userspace program to own the table that creates in exclusivity. Tables that are owned... - can only be updated and removed by the owner, non-owners hit EPERM if they try to update it or remove it. - are destroyed when the owner closes the netlink socket or the process is gone (implicit netlink socket closure). - are skipped by the global flush ruleset command. - are listed in the global ruleset. The userspace process that sets on the NFT_TABLE_F_OWNER flag need to leave open the netlink socket. A new NFTA_TABLE_OWNER netlink attribute specifies the netlink port ID to identify the owner from userspace. This patch also updates error reporting when an unknown table flag is specified to change it from EINVAL to EOPNOTSUPP given that EINVAL is usually reserved to report for malformed netlink messages to userspace. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
1 parent 00dfe9b commit 6001a93

File tree

3 files changed

+128
-46
lines changed

3 files changed

+128
-46
lines changed

include/net/netfilter/nf_tables.h

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1106,11 +1106,17 @@ struct nft_table {
11061106
u16 family:6,
11071107
flags:8,
11081108
genmask:2;
1109+
u32 nlpid;
11091110
char *name;
11101111
u16 udlen;
11111112
u8 *udata;
11121113
};
11131114

1115+
static inline bool nft_table_has_owner(const struct nft_table *table)
1116+
{
1117+
return table->flags & NFT_TABLE_F_OWNER;
1118+
}
1119+
11141120
static inline bool nft_base_chain_netdev(int family, u32 hooknum)
11151121
{
11161122
return family == NFPROTO_NETDEV ||

include/uapi/linux/netfilter/nf_tables.h

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -164,7 +164,10 @@ enum nft_hook_attributes {
164164
*/
165165
enum nft_table_flags {
166166
NFT_TABLE_F_DORMANT = 0x1,
167+
NFT_TABLE_F_OWNER = 0x2,
167168
};
169+
#define NFT_TABLE_F_MASK (NFT_TABLE_F_DORMANT | \
170+
NFT_TABLE_F_OWNER)
168171

169172
/**
170173
* enum nft_table_attributes - nf_tables table netlink attributes
@@ -173,6 +176,7 @@ enum nft_table_flags {
173176
* @NFTA_TABLE_FLAGS: bitmask of enum nft_table_flags (NLA_U32)
174177
* @NFTA_TABLE_USE: number of chains in this table (NLA_U32)
175178
* @NFTA_TABLE_USERDATA: user data (NLA_BINARY)
179+
* @NFTA_TABLE_OWNER: owner of this table through netlink portID (NLA_U32)
176180
*/
177181
enum nft_table_attributes {
178182
NFTA_TABLE_UNSPEC,
@@ -182,6 +186,7 @@ enum nft_table_attributes {
182186
NFTA_TABLE_HANDLE,
183187
NFTA_TABLE_PAD,
184188
NFTA_TABLE_USERDATA,
189+
NFTA_TABLE_OWNER,
185190
__NFTA_TABLE_MAX
186191
};
187192
#define NFTA_TABLE_MAX (__NFTA_TABLE_MAX - 1)

0 commit comments

Comments
 (0)