Skip to content

Commit 837830a

Browse files
ummakynesummakynes
committed
netfilter: nf_tables: add NFTA_RULE_CHAIN_ID attribute
This new netlink attribute allows you to add rules to chains by the chain ID. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
1 parent 74cccc3 commit 837830a

File tree

2 files changed

+33
-4
lines changed

2 files changed

+33
-4
lines changed

include/uapi/linux/netfilter/nf_tables.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -240,6 +240,7 @@ enum nft_rule_attributes {
240240
NFTA_RULE_PAD,
241241
NFTA_RULE_ID,
242242
NFTA_RULE_POSITION_ID,
243+
NFTA_RULE_CHAIN_ID,
243244
__NFTA_RULE_MAX
244245
};
245246
#define NFTA_RULE_MAX (__NFTA_RULE_MAX - 1)

net/netfilter/nf_tables_api.c

Lines changed: 32 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -2153,6 +2153,22 @@ static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
21532153
return err;
21542154
}
21552155

2156+
static struct nft_chain *nft_chain_lookup_byid(const struct net *net,
2157+
const struct nlattr *nla)
2158+
{
2159+
u32 id = ntohl(nla_get_be32(nla));
2160+
struct nft_trans *trans;
2161+
2162+
list_for_each_entry(trans, &net->nft.commit_list, list) {
2163+
struct nft_chain *chain = trans->ctx.chain;
2164+
2165+
if (trans->msg_type == NFT_MSG_NEWCHAIN &&
2166+
id == nft_trans_chain_id(trans))
2167+
return chain;
2168+
}
2169+
return ERR_PTR(-ENOENT);
2170+
}
2171+
21562172
static int nf_tables_newchain(struct net *net, struct sock *nlsk,
21572173
struct sk_buff *skb, const struct nlmsghdr *nlh,
21582174
const struct nlattr * const nla[],
@@ -2633,6 +2649,7 @@ static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
26332649
.len = NFT_USERDATA_MAXLEN },
26342650
[NFTA_RULE_ID] = { .type = NLA_U32 },
26352651
[NFTA_RULE_POSITION_ID] = { .type = NLA_U32 },
2652+
[NFTA_RULE_CHAIN_ID] = { .type = NLA_U32 },
26362653
};
26372654

26382655
static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
@@ -3039,10 +3056,21 @@ static int nf_tables_newrule(struct net *net, struct sock *nlsk,
30393056
return PTR_ERR(table);
30403057
}
30413058

3042-
chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
3043-
if (IS_ERR(chain)) {
3044-
NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3045-
return PTR_ERR(chain);
3059+
if (nla[NFTA_RULE_CHAIN]) {
3060+
chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
3061+
genmask);
3062+
if (IS_ERR(chain)) {
3063+
NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3064+
return PTR_ERR(chain);
3065+
}
3066+
} else if (nla[NFTA_RULE_CHAIN_ID]) {
3067+
chain = nft_chain_lookup_byid(net, nla[NFTA_RULE_CHAIN_ID]);
3068+
if (IS_ERR(chain)) {
3069+
NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN_ID]);
3070+
return PTR_ERR(chain);
3071+
}
3072+
} else {
3073+
return -EINVAL;
30463074
}
30473075

30483076
if (nla[NFTA_RULE_HANDLE]) {

0 commit comments

Comments
 (0)