Skip to content

Commit bed4a63

Browse files
ummakynesummakynes
committed
netfilter: nf_tables: consolidate set description
Add the following fields to the set description: - key type - data type - object type - policy - gc_int: garbage collection interval) - timeout: element timeout This prepares for stricter set type checks on updates in a follow up patch. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
1 parent 5eb119d commit bed4a63

File tree

2 files changed

+40
-30
lines changed

2 files changed

+40
-30
lines changed

include/net/netfilter/nf_tables.h

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -312,17 +312,29 @@ struct nft_set_iter {
312312
/**
313313
* struct nft_set_desc - description of set elements
314314
*
315+
* @ktype: key type
315316
* @klen: key length
317+
* @dtype: data type
316318
* @dlen: data length
319+
* @objtype: object type
320+
* @flags: flags
317321
* @size: number of set elements
322+
* @policy: set policy
323+
* @gc_int: garbage collector interval
318324
* @field_len: length of each field in concatenation, bytes
319325
* @field_count: number of concatenated fields in element
320326
* @expr: set must support for expressions
321327
*/
322328
struct nft_set_desc {
329+
u32 ktype;
323330
unsigned int klen;
331+
u32 dtype;
324332
unsigned int dlen;
333+
u32 objtype;
325334
unsigned int size;
335+
u32 policy;
336+
u32 gc_int;
337+
u64 timeout;
326338
u8 field_len[NFT_REG32_COUNT];
327339
u8 field_count;
328340
bool expr;

net/netfilter/nf_tables_api.c

Lines changed: 28 additions & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -3780,8 +3780,7 @@ static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
37803780
static const struct nft_set_ops *
37813781
nft_select_set_ops(const struct nft_ctx *ctx,
37823782
const struct nlattr * const nla[],
3783-
const struct nft_set_desc *desc,
3784-
enum nft_set_policies policy)
3783+
const struct nft_set_desc *desc)
37853784
{
37863785
struct nftables_pernet *nft_net = nft_pernet(ctx->net);
37873786
const struct nft_set_ops *ops, *bops;
@@ -3810,7 +3809,7 @@ nft_select_set_ops(const struct nft_ctx *ctx,
38103809
if (!ops->estimate(desc, flags, &est))
38113810
continue;
38123811

3813-
switch (policy) {
3812+
switch (desc->policy) {
38143813
case NFT_SET_POL_PERFORMANCE:
38153814
if (est.lookup < best.lookup)
38163815
break;
@@ -4392,7 +4391,6 @@ static int nf_tables_set_desc_parse(struct nft_set_desc *desc,
43924391
static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
43934392
const struct nlattr * const nla[])
43944393
{
4395-
u32 ktype, dtype, flags, policy, gc_int, objtype;
43964394
struct netlink_ext_ack *extack = info->extack;
43974395
u8 genmask = nft_genmask_next(info->net);
43984396
u8 family = info->nfmsg->nfgen_family;
@@ -4405,10 +4403,10 @@ static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
44054403
struct nft_set *set;
44064404
struct nft_ctx ctx;
44074405
size_t alloc_size;
4408-
u64 timeout;
44094406
char *name;
44104407
int err, i;
44114408
u16 udlen;
4409+
u32 flags;
44124410
u64 size;
44134411

44144412
if (nla[NFTA_SET_TABLE] == NULL ||
@@ -4419,10 +4417,10 @@ static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
44194417

44204418
memset(&desc, 0, sizeof(desc));
44214419

4422-
ktype = NFT_DATA_VALUE;
4420+
desc.ktype = NFT_DATA_VALUE;
44234421
if (nla[NFTA_SET_KEY_TYPE] != NULL) {
4424-
ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
4425-
if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
4422+
desc.ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
4423+
if ((desc.ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
44264424
return -EINVAL;
44274425
}
44284426

@@ -4447,17 +4445,17 @@ static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
44474445
return -EOPNOTSUPP;
44484446
}
44494447

4450-
dtype = 0;
4448+
desc.dtype = 0;
44514449
if (nla[NFTA_SET_DATA_TYPE] != NULL) {
44524450
if (!(flags & NFT_SET_MAP))
44534451
return -EINVAL;
44544452

4455-
dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
4456-
if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
4457-
dtype != NFT_DATA_VERDICT)
4453+
desc.dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
4454+
if ((desc.dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
4455+
desc.dtype != NFT_DATA_VERDICT)
44584456
return -EINVAL;
44594457

4460-
if (dtype != NFT_DATA_VERDICT) {
4458+
if (desc.dtype != NFT_DATA_VERDICT) {
44614459
if (nla[NFTA_SET_DATA_LEN] == NULL)
44624460
return -EINVAL;
44634461
desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
@@ -4472,34 +4470,34 @@ static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
44724470
if (!(flags & NFT_SET_OBJECT))
44734471
return -EINVAL;
44744472

4475-
objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
4476-
if (objtype == NFT_OBJECT_UNSPEC ||
4477-
objtype > NFT_OBJECT_MAX)
4473+
desc.objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
4474+
if (desc.objtype == NFT_OBJECT_UNSPEC ||
4475+
desc.objtype > NFT_OBJECT_MAX)
44784476
return -EOPNOTSUPP;
44794477
} else if (flags & NFT_SET_OBJECT)
44804478
return -EINVAL;
44814479
else
4482-
objtype = NFT_OBJECT_UNSPEC;
4480+
desc.objtype = NFT_OBJECT_UNSPEC;
44834481

4484-
timeout = 0;
4482+
desc.timeout = 0;
44854483
if (nla[NFTA_SET_TIMEOUT] != NULL) {
44864484
if (!(flags & NFT_SET_TIMEOUT))
44874485
return -EINVAL;
44884486

4489-
err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &timeout);
4487+
err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &desc.timeout);
44904488
if (err)
44914489
return err;
44924490
}
4493-
gc_int = 0;
4491+
desc.gc_int = 0;
44944492
if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
44954493
if (!(flags & NFT_SET_TIMEOUT))
44964494
return -EINVAL;
4497-
gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
4495+
desc.gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
44984496
}
44994497

4500-
policy = NFT_SET_POL_PERFORMANCE;
4498+
desc.policy = NFT_SET_POL_PERFORMANCE;
45014499
if (nla[NFTA_SET_POLICY] != NULL)
4502-
policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
4500+
desc.policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
45034501

45044502
if (nla[NFTA_SET_DESC] != NULL) {
45054503
err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]);
@@ -4544,7 +4542,7 @@ static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
45444542
if (!(info->nlh->nlmsg_flags & NLM_F_CREATE))
45454543
return -ENOENT;
45464544

4547-
ops = nft_select_set_ops(&ctx, nla, &desc, policy);
4545+
ops = nft_select_set_ops(&ctx, nla, &desc);
45484546
if (IS_ERR(ops))
45494547
return PTR_ERR(ops);
45504548

@@ -4584,18 +4582,18 @@ static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
45844582
set->table = table;
45854583
write_pnet(&set->net, net);
45864584
set->ops = ops;
4587-
set->ktype = ktype;
4585+
set->ktype = desc.ktype;
45884586
set->klen = desc.klen;
4589-
set->dtype = dtype;
4590-
set->objtype = objtype;
4587+
set->dtype = desc.dtype;
4588+
set->objtype = desc.objtype;
45914589
set->dlen = desc.dlen;
45924590
set->flags = flags;
45934591
set->size = desc.size;
4594-
set->policy = policy;
4592+
set->policy = desc.policy;
45954593
set->udlen = udlen;
45964594
set->udata = udata;
4597-
set->timeout = timeout;
4598-
set->gc_int = gc_int;
4595+
set->timeout = desc.timeout;
4596+
set->gc_int = desc.gc_int;
45994597

46004598
set->field_count = desc.field_count;
46014599
for (i = 0; i < desc.field_count; i++)

0 commit comments

Comments
 (0)