mirror of
https://github.com/torvalds/linux.git
synced 2025-04-12 06:49:52 +00:00
netfilter pull request 24-09-06
-----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEN9lkrMBJgcdVAPub1V2XiooUIOQFAmbaOvIACgkQ1V2XiooU IOT/oQ/+JTsIkXRn8XAOgjsbxOEOvrUPAzb72Atz/cCA0RPQkHXbdZtxLDPbcN1v lQG6R+ZK+trS70fIMqnfSbEB/eaCWum+/kd9ZSp5RCFW4M9OVde+KTJj+IfEzsQZ spZRR53VnAN5jSeI2U3w4iYnyCWn5Xtp2sGETrjh43yK3cirvo7sZd/+477gZiGp qBDEgZrzcDzfm8IxJCCUeJdcNeM7ytoMhuyITT9YrvUt0Qo6+qPsx5hVFwMFly/M WkvxCR/1DR+Unhp4a30STEPPxDR0f284WoaiuxEvNAN2yP7p7O35mcStzyfhlOh+ wB/Cc4ESBa3fPRhA+l3FDsdyrlHsi3c8VUwBWcXVryeD5e1mzyveXye9O2HtWmET wBtukfdPORu8JBBHxf3kmv+ZLAJLjAwyO1G1DHFruL/yEAJIDq4gluxlR+71rg7n qAZUvvV3MGQMCNIO3GlQ6ODtl0UcIUTHwW5//MEaxOC/aqWN/fr/keSz8xGE2Qkt 47TFbBiGC6UR0KD+wWGAWfOlWN4G9m7E4SG++vCkXJGio4bvyGl8TxorWsh99vCv BMq59ZRtsS1xiEcWF48Q0Y5YtURIdCih/LcfDdbIQFzkNlHzzGpo68MHN/anqgu/ GE4JTdgjf79lfDqJDqdnQiio7P44NZqhkeUT8yQTE1xbIKsQRNY= =Uxb1 -----END PGP SIGNATURE----- Merge tag 'nf-next-24-09-06' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next Pablo Neira Ayuso says: ==================== Netfilter updates for net-next The following patchset contains Netfilter updates for net-next: Patch #1 adds ctnetlink support for kernel side filtering for deletions, from Changliang Wu. Patch #2 updates nft_counter support to Use u64_stats_t, from Sebastian Andrzej Siewior. Patch #3 uses kmemdup_array() in all xtables frontends, from Yan Zhen. Patch #4 is a oneliner to use ERR_CAST() in nf_conntrack instead opencoded casting, from Shen Lichuan. Patch #5 removes unused argument in nftables .validate interface, from Florian Westphal. Patch #6 is a oneliner to correct a typo in nftables kdoc, from Simon Horman. Patch #7 fixes missing kdoc in nftables, also from Simon. Patch #8 updates nftables to handle timeout less than CONFIG_HZ. Patch #9 rejects element expiration if timeout is zero, otherwise it is silently ignored. Patch #10 disallows element expiration larger than timeout. Patch #11 removes unnecessary READ_ONCE annotation while mutex is held. Patch #12 adds missing READ_ONCE/WRITE_ONCE annotation in dynset. Patch #13 annotates data-races around element expiration. Patch #14 allocates timeout and expiration in one single set element extension, they are tighly couple, no reason to keep them separated anymore. Patch #15 updates nftables to interpret zero timeout element as never times out. Note that it is already possible to declare sets with elements that never time out but this generalizes to all kind of set with timeouts. Patch #16 supports for element timeout and expiration updates. * tag 'nf-next-24-09-06' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next: netfilter: nf_tables: set element timeout update support netfilter: nf_tables: zero timeout means element never times out netfilter: nf_tables: consolidate timeout extension for elements netfilter: nf_tables: annotate data-races around element expiration netfilter: nft_dynset: annotate data-races around set timeout netfilter: nf_tables: remove annotation to access set timeout while holding lock netfilter: nf_tables: reject expiration higher than timeout netfilter: nf_tables: reject element expiration with no timeout netfilter: nf_tables: elements with timeout below CONFIG_HZ never expire netfilter: nf_tables: Add missing Kernel doc netfilter: nf_tables: Correct spelling in nf_tables.h netfilter: nf_tables: drop unused 3rd argument from validate callback ops netfilter: conntrack: Convert to use ERR_CAST() netfilter: Use kmemdup_array instead of kmemdup for multiple allocation netfilter: nft_counter: Use u64_stats_t for statistic. netfilter: ctnetlink: support CTA_FILTER for flush ==================== Link: https://patch.msgid.link/20240905232920.5481-1-pablo@netfilter.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
This commit is contained in:
Jakub Kicinski
commit
f723224742
@ -209,6 +209,7 @@ static inline void nft_data_copy(u32 *dst, const struct nft_data *src,
|
||||
* @family: protocol family
|
||||
* @level: depth of the chains
|
||||
* @report: notify via unicast netlink message
|
||||
* @reg_inited: bitmap of initialised registers
|
||||
*/
|
||||
struct nft_ctx {
|
||||
struct net *net;
|
||||
@ -313,6 +314,7 @@ static inline void *nft_elem_priv_cast(const struct nft_elem_priv *priv)
|
||||
/**
|
||||
* enum nft_iter_type - nftables set iterator type
|
||||
*
|
||||
* @NFT_ITER_UNSPEC: unspecified, to catch errors
|
||||
* @NFT_ITER_READ: read-only iteration over set elements
|
||||
* @NFT_ITER_UPDATE: iteration under mutex to update set element state
|
||||
*/
|
||||
@ -685,9 +687,8 @@ void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set);
|
||||
* @NFT_SET_EXT_DATA: mapping data
|
||||
* @NFT_SET_EXT_FLAGS: element flags
|
||||
* @NFT_SET_EXT_TIMEOUT: element timeout
|
||||
* @NFT_SET_EXT_EXPIRATION: element expiration time
|
||||
* @NFT_SET_EXT_USERDATA: user data associated with the element
|
||||
* @NFT_SET_EXT_EXPRESSIONS: expressions assiciated with the element
|
||||
* @NFT_SET_EXT_EXPRESSIONS: expressions associated with the element
|
||||
* @NFT_SET_EXT_OBJREF: stateful object reference associated with element
|
||||
* @NFT_SET_EXT_NUM: number of extension types
|
||||
*/
|
||||
@ -697,7 +698,6 @@ enum nft_set_extensions {
|
||||
NFT_SET_EXT_DATA,
|
||||
NFT_SET_EXT_FLAGS,
|
||||
NFT_SET_EXT_TIMEOUT,
|
||||
NFT_SET_EXT_EXPIRATION,
|
||||
NFT_SET_EXT_USERDATA,
|
||||
NFT_SET_EXT_EXPRESSIONS,
|
||||
NFT_SET_EXT_OBJREF,
|
||||
@ -809,16 +809,16 @@ static inline u8 *nft_set_ext_flags(const struct nft_set_ext *ext)
|
||||
return nft_set_ext(ext, NFT_SET_EXT_FLAGS);
|
||||
}
|
||||
|
||||
static inline u64 *nft_set_ext_timeout(const struct nft_set_ext *ext)
|
||||
struct nft_timeout {
|
||||
u64 timeout;
|
||||
u64 expiration;
|
||||
};
|
||||
|
||||
static inline struct nft_timeout *nft_set_ext_timeout(const struct nft_set_ext *ext)
|
||||
{
|
||||
return nft_set_ext(ext, NFT_SET_EXT_TIMEOUT);
|
||||
}
|
||||
|
||||
static inline u64 *nft_set_ext_expiration(const struct nft_set_ext *ext)
|
||||
{
|
||||
return nft_set_ext(ext, NFT_SET_EXT_EXPIRATION);
|
||||
}
|
||||
|
||||
static inline struct nft_userdata *nft_set_ext_userdata(const struct nft_set_ext *ext)
|
||||
{
|
||||
return nft_set_ext(ext, NFT_SET_EXT_USERDATA);
|
||||
@ -832,8 +832,11 @@ static inline struct nft_set_elem_expr *nft_set_ext_expr(const struct nft_set_ex
|
||||
static inline bool __nft_set_elem_expired(const struct nft_set_ext *ext,
|
||||
u64 tstamp)
|
||||
{
|
||||
return nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION) &&
|
||||
time_after_eq64(tstamp, *nft_set_ext_expiration(ext));
|
||||
if (!nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) ||
|
||||
READ_ONCE(nft_set_ext_timeout(ext)->timeout) == 0)
|
||||
return false;
|
||||
|
||||
return time_after_eq64(tstamp, READ_ONCE(nft_set_ext_timeout(ext)->expiration));
|
||||
}
|
||||
|
||||
static inline bool nft_set_elem_expired(const struct nft_set_ext *ext)
|
||||
@ -961,8 +964,7 @@ struct nft_expr_ops {
|
||||
const struct nft_expr *expr,
|
||||
bool reset);
|
||||
int (*validate)(const struct nft_ctx *ctx,
|
||||
const struct nft_expr *expr,
|
||||
const struct nft_data **data);
|
||||
const struct nft_expr *expr);
|
||||
bool (*reduce)(struct nft_regs_track *track,
|
||||
const struct nft_expr *expr);
|
||||
bool (*gc)(struct net *net,
|
||||
@ -1747,10 +1749,18 @@ struct nft_trans_table {
|
||||
#define nft_trans_table_update(trans) \
|
||||
nft_trans_container_table(trans)->update
|
||||
|
||||
enum nft_trans_elem_flags {
|
||||
NFT_TRANS_UPD_TIMEOUT = (1 << 0),
|
||||
NFT_TRANS_UPD_EXPIRATION = (1 << 1),
|
||||
};
|
||||
|
||||
struct nft_trans_elem {
|
||||
struct nft_trans nft_trans;
|
||||
struct nft_set *set;
|
||||
struct nft_elem_priv *elem_priv;
|
||||
u64 timeout;
|
||||
u64 expiration;
|
||||
u8 update_flags;
|
||||
bool bound;
|
||||
};
|
||||
|
||||
@ -1760,6 +1770,12 @@ struct nft_trans_elem {
|
||||
nft_trans_container_elem(trans)->set
|
||||
#define nft_trans_elem_priv(trans) \
|
||||
nft_trans_container_elem(trans)->elem_priv
|
||||
#define nft_trans_elem_update_flags(trans) \
|
||||
nft_trans_container_elem(trans)->update_flags
|
||||
#define nft_trans_elem_timeout(trans) \
|
||||
nft_trans_container_elem(trans)->timeout
|
||||
#define nft_trans_elem_expiration(trans) \
|
||||
nft_trans_container_elem(trans)->expiration
|
||||
#define nft_trans_elem_set_bound(trans) \
|
||||
nft_trans_container_elem(trans)->bound
|
||||
|
||||
|
||||
@ -36,6 +36,7 @@ __be32 nf_tproxy_laddr4(struct sk_buff *skb, __be32 user_laddr, __be32 daddr);
|
||||
|
||||
/**
|
||||
* nf_tproxy_handle_time_wait4 - handle IPv4 TCP TIME_WAIT reopen redirections
|
||||
* @net: The network namespace.
|
||||
* @skb: The skb being processed.
|
||||
* @laddr: IPv4 address to redirect to or zero.
|
||||
* @lport: TCP port to redirect to or zero.
|
||||
|
||||
@ -21,9 +21,7 @@ nft_fib_is_loopback(const struct sk_buff *skb, const struct net_device *in)
|
||||
int nft_fib_dump(struct sk_buff *skb, const struct nft_expr *expr, bool reset);
|
||||
int nft_fib_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
|
||||
const struct nlattr * const tb[]);
|
||||
int nft_fib_validate(const struct nft_ctx *ctx, const struct nft_expr *expr,
|
||||
const struct nft_data **data);
|
||||
|
||||
int nft_fib_validate(const struct nft_ctx *ctx, const struct nft_expr *expr);
|
||||
|
||||
void nft_fib4_eval_type(const struct nft_expr *expr, struct nft_regs *regs,
|
||||
const struct nft_pktinfo *pkt);
|
||||
|
||||
@ -41,8 +41,7 @@ void nft_meta_set_destroy(const struct nft_ctx *ctx,
|
||||
const struct nft_expr *expr);
|
||||
|
||||
int nft_meta_set_validate(const struct nft_ctx *ctx,
|
||||
const struct nft_expr *expr,
|
||||
const struct nft_data **data);
|
||||
const struct nft_expr *expr);
|
||||
|
||||
bool nft_meta_get_reduce(struct nft_regs_track *track,
|
||||
const struct nft_expr *expr);
|
||||
|
||||
@ -15,8 +15,7 @@ struct nft_reject {
|
||||
extern const struct nla_policy nft_reject_policy[];
|
||||
|
||||
int nft_reject_validate(const struct nft_ctx *ctx,
|
||||
const struct nft_expr *expr,
|
||||
const struct nft_data **data);
|
||||
const struct nft_expr *expr);
|
||||
|
||||
int nft_reject_init(const struct nft_ctx *ctx,
|
||||
const struct nft_expr *expr,
|
||||
|
||||
@ -436,7 +436,7 @@ enum nft_set_elem_flags {
|
||||
* @NFTA_SET_ELEM_KEY: key value (NLA_NESTED: nft_data)
|
||||
* @NFTA_SET_ELEM_DATA: data value of mapping (NLA_NESTED: nft_data_attributes)
|
||||
* @NFTA_SET_ELEM_FLAGS: bitmask of nft_set_elem_flags (NLA_U32)
|
||||
* @NFTA_SET_ELEM_TIMEOUT: timeout value (NLA_U64)
|
||||
* @NFTA_SET_ELEM_TIMEOUT: timeout value, zero means never times out (NLA_U64)
|
||||
* @NFTA_SET_ELEM_EXPIRATION: expiration time (NLA_U64)
|
||||
* @NFTA_SET_ELEM_USERDATA: user data (NLA_BINARY)
|
||||
* @NFTA_SET_ELEM_EXPR: expression (NLA_NESTED: nft_expr_attributes)
|
||||
|
||||
@ -1256,7 +1256,7 @@ int ebt_register_table(struct net *net, const struct ebt_table *input_table,
|
||||
goto free_unlock;
|
||||
}
|
||||
|
||||
ops = kmemdup(template_ops, sizeof(*ops) * num_ops, GFP_KERNEL);
|
||||
ops = kmemdup_array(template_ops, num_ops, sizeof(*ops), GFP_KERNEL);
|
||||
if (!ops) {
|
||||
ret = -ENOMEM;
|
||||
if (newinfo->nentries)
|
||||
|
||||
@ -168,8 +168,7 @@ static bool nft_meta_bridge_set_reduce(struct nft_regs_track *track,
|
||||
}
|
||||
|
||||
static int nft_meta_bridge_set_validate(const struct nft_ctx *ctx,
|
||||
const struct nft_expr *expr,
|
||||
const struct nft_data **data)
|
||||
const struct nft_expr *expr)
|
||||
{
|
||||
struct nft_meta *priv = nft_expr_priv(expr);
|
||||
unsigned int hooks;
|
||||
@ -179,7 +178,7 @@ static int nft_meta_bridge_set_validate(const struct nft_ctx *ctx,
|
||||
hooks = 1 << NF_BR_PRE_ROUTING;
|
||||
break;
|
||||
default:
|
||||
return nft_meta_set_validate(ctx, expr, data);
|
||||
return nft_meta_set_validate(ctx, expr);
|
||||
}
|
||||
|
||||
return nft_chain_validate_hooks(ctx->chain, hooks);
|
||||
|
||||
@ -170,8 +170,7 @@ out:
|
||||
}
|
||||
|
||||
static int nft_reject_bridge_validate(const struct nft_ctx *ctx,
|
||||
const struct nft_expr *expr,
|
||||
const struct nft_data **data)
|
||||
const struct nft_expr *expr)
|
||||
{
|
||||
return nft_chain_validate_hooks(ctx->chain, (1 << NF_BR_PRE_ROUTING) |
|
||||
(1 << NF_BR_LOCAL_IN));
|
||||
|
||||
@ -1547,7 +1547,7 @@ int arpt_register_table(struct net *net,
|
||||
goto out_free;
|
||||
}
|
||||
|
||||
ops = kmemdup(template_ops, sizeof(*ops) * num_ops, GFP_KERNEL);
|
||||
ops = kmemdup_array(template_ops, num_ops, sizeof(*ops), GFP_KERNEL);
|
||||
if (!ops) {
|
||||
ret = -ENOMEM;
|
||||
goto out_free;
|
||||
|
||||
@ -1767,7 +1767,7 @@ int ipt_register_table(struct net *net, const struct xt_table *table,
|
||||
goto out_free;
|
||||
}
|
||||
|
||||
ops = kmemdup(template_ops, sizeof(*ops) * num_ops, GFP_KERNEL);
|
||||
ops = kmemdup_array(template_ops, num_ops, sizeof(*ops), GFP_KERNEL);
|
||||
if (!ops) {
|
||||
ret = -ENOMEM;
|
||||
goto out_free;
|
||||
|
||||
@ -1773,7 +1773,7 @@ int ip6t_register_table(struct net *net, const struct xt_table *table,
|
||||
goto out_free;
|
||||
}
|
||||
|
||||
ops = kmemdup(template_ops, sizeof(*ops) * num_ops, GFP_KERNEL);
|
||||
ops = kmemdup_array(template_ops, num_ops, sizeof(*ops), GFP_KERNEL);
|
||||
if (!ops) {
|
||||
ret = -ENOMEM;
|
||||
goto out_free;
|
||||
|
||||
@ -1722,7 +1722,7 @@ init_conntrack(struct net *net, struct nf_conn *tmpl,
|
||||
ct = __nf_conntrack_alloc(net, zone, tuple, &repl_tuple, GFP_ATOMIC,
|
||||
hash);
|
||||
if (IS_ERR(ct))
|
||||
return (struct nf_conntrack_tuple_hash *)ct;
|
||||
return ERR_CAST(ct);
|
||||
|
||||
if (!nf_ct_add_synproxy(ct, tmpl)) {
|
||||
nf_conntrack_free(ct);
|
||||
|
||||
@ -1579,9 +1579,6 @@ static int ctnetlink_flush_conntrack(struct net *net,
|
||||
};
|
||||
|
||||
if (ctnetlink_needs_filter(family, cda)) {
|
||||
if (cda[CTA_FILTER])
|
||||
return -EOPNOTSUPP;
|
||||
|
||||
filter = ctnetlink_alloc_filter(cda, family);
|
||||
if (IS_ERR(filter))
|
||||
return PTR_ERR(filter);
|
||||
@ -1610,14 +1607,14 @@ static int ctnetlink_del_conntrack(struct sk_buff *skb,
|
||||
if (err < 0)
|
||||
return err;
|
||||
|
||||
if (cda[CTA_TUPLE_ORIG])
|
||||
if (cda[CTA_TUPLE_ORIG] && !cda[CTA_FILTER])
|
||||
err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG,
|
||||
family, &zone);
|
||||
else if (cda[CTA_TUPLE_REPLY])
|
||||
else if (cda[CTA_TUPLE_REPLY] && !cda[CTA_FILTER])
|
||||
err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY,
|
||||
family, &zone);
|
||||
else {
|
||||
u_int8_t u3 = info->nfmsg->version ? family : AF_UNSPEC;
|
||||
u8 u3 = info->nfmsg->version || cda[CTA_FILTER] ? family : AF_UNSPEC;
|
||||
|
||||
return ctnetlink_flush_conntrack(info->net, cda,
|
||||
NETLINK_CB(skb).portid,
|
||||
|
||||
@ -1104,7 +1104,7 @@ int nf_nat_register_fn(struct net *net, u8 pf, const struct nf_hook_ops *ops,
|
||||
if (!nat_proto_net->nat_hook_ops) {
|
||||
WARN_ON(nat_proto_net->users != 0);
|
||||
|
||||
nat_ops = kmemdup(orig_nat_ops, sizeof(*orig_nat_ops) * ops_count, GFP_KERNEL);
|
||||
nat_ops = kmemdup_array(orig_nat_ops, ops_count, sizeof(*orig_nat_ops), GFP_KERNEL);
|
||||
if (!nat_ops) {
|
||||
mutex_unlock(&nf_nat_proto_mutex);
|
||||
return -ENOMEM;
|
||||
|
||||
@ -3886,7 +3886,6 @@ static void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *r
|
||||
int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
|
||||
{
|
||||
struct nft_expr *expr, *last;
|
||||
const struct nft_data *data;
|
||||
struct nft_rule *rule;
|
||||
int err;
|
||||
|
||||
@ -3907,7 +3906,7 @@ int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
|
||||
/* This may call nft_chain_validate() recursively,
|
||||
* callers that do so must increment ctx->level.
|
||||
*/
|
||||
err = expr->ops->validate(ctx, expr, &data);
|
||||
err = expr->ops->validate(ctx, expr);
|
||||
if (err < 0)
|
||||
return err;
|
||||
}
|
||||
@ -4594,7 +4593,7 @@ int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
|
||||
return -ERANGE;
|
||||
|
||||
ms *= NSEC_PER_MSEC;
|
||||
*result = nsecs_to_jiffies64(ms);
|
||||
*result = nsecs_to_jiffies64(ms) ? : !!ms;
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -5695,12 +5694,8 @@ const struct nft_set_ext_type nft_set_ext_types[] = {
|
||||
.align = __alignof__(u8),
|
||||
},
|
||||
[NFT_SET_EXT_TIMEOUT] = {
|
||||
.len = sizeof(u64),
|
||||
.align = __alignof__(u64),
|
||||
},
|
||||
[NFT_SET_EXT_EXPIRATION] = {
|
||||
.len = sizeof(u64),
|
||||
.align = __alignof__(u64),
|
||||
.len = sizeof(struct nft_timeout),
|
||||
.align = __alignof__(struct nft_timeout),
|
||||
},
|
||||
[NFT_SET_EXT_USERDATA] = {
|
||||
.len = sizeof(struct nft_userdata),
|
||||
@ -5819,25 +5814,32 @@ static int nf_tables_fill_setelem(struct sk_buff *skb,
|
||||
htonl(*nft_set_ext_flags(ext))))
|
||||
goto nla_put_failure;
|
||||
|
||||
if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
|
||||
nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
|
||||
nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)),
|
||||
NFTA_SET_ELEM_PAD))
|
||||
goto nla_put_failure;
|
||||
if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT)) {
|
||||
u64 timeout = READ_ONCE(nft_set_ext_timeout(ext)->timeout);
|
||||
u64 set_timeout = READ_ONCE(set->timeout);
|
||||
__be64 msecs = 0;
|
||||
|
||||
if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
|
||||
u64 expires, now = get_jiffies_64();
|
||||
if (set_timeout != timeout) {
|
||||
msecs = nf_jiffies64_to_msecs(timeout);
|
||||
if (nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT, msecs,
|
||||
NFTA_SET_ELEM_PAD))
|
||||
goto nla_put_failure;
|
||||
}
|
||||
|
||||
expires = *nft_set_ext_expiration(ext);
|
||||
if (time_before64(now, expires))
|
||||
expires -= now;
|
||||
else
|
||||
expires = 0;
|
||||
if (timeout > 0) {
|
||||
u64 expires, now = get_jiffies_64();
|
||||
|
||||
if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
|
||||
nf_jiffies64_to_msecs(expires),
|
||||
NFTA_SET_ELEM_PAD))
|
||||
goto nla_put_failure;
|
||||
expires = READ_ONCE(nft_set_ext_timeout(ext)->expiration);
|
||||
if (time_before64(now, expires))
|
||||
expires -= now;
|
||||
else
|
||||
expires = 0;
|
||||
|
||||
if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
|
||||
nf_jiffies64_to_msecs(expires),
|
||||
NFTA_SET_ELEM_PAD))
|
||||
goto nla_put_failure;
|
||||
}
|
||||
}
|
||||
|
||||
if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
|
||||
@ -6500,13 +6502,14 @@ struct nft_elem_priv *nft_set_elem_init(const struct nft_set *set,
|
||||
nft_set_ext_data(ext), data, set->dlen) < 0)
|
||||
goto err_ext_check;
|
||||
|
||||
if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
|
||||
*nft_set_ext_expiration(ext) = get_jiffies_64() + expiration;
|
||||
if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT)) {
|
||||
nft_set_ext_timeout(ext)->timeout = timeout;
|
||||
|
||||
if (expiration == 0)
|
||||
*nft_set_ext_expiration(ext) += timeout;
|
||||
expiration = timeout;
|
||||
|
||||
nft_set_ext_timeout(ext)->expiration = get_jiffies_64() + expiration;
|
||||
}
|
||||
if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
|
||||
*nft_set_ext_timeout(ext) = timeout;
|
||||
|
||||
return elem;
|
||||
|
||||
@ -6849,6 +6852,7 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
|
||||
struct nft_data_desc desc;
|
||||
enum nft_registers dreg;
|
||||
struct nft_trans *trans;
|
||||
u8 update_flags;
|
||||
u64 expiration;
|
||||
u64 timeout;
|
||||
int err, i;
|
||||
@ -6917,17 +6921,23 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
|
||||
return err;
|
||||
} else if (set->flags & NFT_SET_TIMEOUT &&
|
||||
!(flags & NFT_SET_ELEM_INTERVAL_END)) {
|
||||
timeout = READ_ONCE(set->timeout);
|
||||
timeout = set->timeout;
|
||||
}
|
||||
|
||||
expiration = 0;
|
||||
if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) {
|
||||
if (!(set->flags & NFT_SET_TIMEOUT))
|
||||
return -EINVAL;
|
||||
if (timeout == 0)
|
||||
return -EOPNOTSUPP;
|
||||
|
||||
err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION],
|
||||
&expiration);
|
||||
if (err)
|
||||
return err;
|
||||
|
||||
if (expiration > timeout)
|
||||
return -ERANGE;
|
||||
}
|
||||
|
||||
if (nla[NFTA_SET_ELEM_EXPR]) {
|
||||
@ -7013,16 +7023,10 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
|
||||
goto err_parse_key_end;
|
||||
}
|
||||
|
||||
if (timeout > 0) {
|
||||
err = nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
|
||||
if (set->flags & NFT_SET_TIMEOUT) {
|
||||
err = nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
|
||||
if (err < 0)
|
||||
goto err_parse_key_end;
|
||||
|
||||
if (timeout != READ_ONCE(set->timeout)) {
|
||||
err = nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
|
||||
if (err < 0)
|
||||
goto err_parse_key_end;
|
||||
}
|
||||
}
|
||||
|
||||
if (num_exprs) {
|
||||
@ -7160,8 +7164,30 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
|
||||
nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
|
||||
*nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
|
||||
goto err_element_clash;
|
||||
else if (!(nlmsg_flags & NLM_F_EXCL))
|
||||
else if (!(nlmsg_flags & NLM_F_EXCL)) {
|
||||
err = 0;
|
||||
if (nft_set_ext_exists(ext2, NFT_SET_EXT_TIMEOUT)) {
|
||||
update_flags = 0;
|
||||
if (timeout != nft_set_ext_timeout(ext2)->timeout) {
|
||||
nft_trans_elem_timeout(trans) = timeout;
|
||||
if (expiration == 0)
|
||||
expiration = timeout;
|
||||
|
||||
update_flags |= NFT_TRANS_UPD_TIMEOUT;
|
||||
}
|
||||
if (expiration) {
|
||||
nft_trans_elem_expiration(trans) = expiration;
|
||||
update_flags |= NFT_TRANS_UPD_EXPIRATION;
|
||||
}
|
||||
|
||||
if (update_flags) {
|
||||
nft_trans_elem_priv(trans) = elem_priv;
|
||||
nft_trans_elem_update_flags(trans) = update_flags;
|
||||
nft_trans_commit_list_add_tail(ctx->net, trans);
|
||||
goto err_elem_free;
|
||||
}
|
||||
}
|
||||
}
|
||||
} else if (err == -ENOTEMPTY) {
|
||||
/* ENOTEMPTY reports overlapping between this element
|
||||
* and an existing one.
|
||||
@ -10486,7 +10512,22 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb)
|
||||
case NFT_MSG_NEWSETELEM:
|
||||
te = nft_trans_container_elem(trans);
|
||||
|
||||
nft_setelem_activate(net, te->set, te->elem_priv);
|
||||
if (te->update_flags) {
|
||||
const struct nft_set_ext *ext =
|
||||
nft_set_elem_ext(te->set, te->elem_priv);
|
||||
|
||||
if (te->update_flags & NFT_TRANS_UPD_TIMEOUT) {
|
||||
WRITE_ONCE(nft_set_ext_timeout(ext)->timeout,
|
||||
te->timeout);
|
||||
}
|
||||
if (te->update_flags & NFT_TRANS_UPD_EXPIRATION) {
|
||||
WRITE_ONCE(nft_set_ext_timeout(ext)->expiration,
|
||||
get_jiffies_64() + te->expiration);
|
||||
}
|
||||
} else {
|
||||
nft_setelem_activate(net, te->set, te->elem_priv);
|
||||
}
|
||||
|
||||
nf_tables_setelem_notify(&ctx, te->set,
|
||||
te->elem_priv,
|
||||
NFT_MSG_NEWSETELEM);
|
||||
@ -10786,7 +10827,8 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
|
||||
nft_trans_destroy(trans);
|
||||
break;
|
||||
case NFT_MSG_NEWSETELEM:
|
||||
if (nft_trans_elem_set_bound(trans)) {
|
||||
if (nft_trans_elem_update_flags(trans) ||
|
||||
nft_trans_elem_set_bound(trans)) {
|
||||
nft_trans_destroy(trans);
|
||||
break;
|
||||
}
|
||||
|
||||
@ -350,8 +350,7 @@ nla_put_failure:
|
||||
}
|
||||
|
||||
static int nft_target_validate(const struct nft_ctx *ctx,
|
||||
const struct nft_expr *expr,
|
||||
const struct nft_data **data)
|
||||
const struct nft_expr *expr)
|
||||
{
|
||||
struct xt_target *target = expr->ops->data;
|
||||
unsigned int hook_mask = 0;
|
||||
@ -611,8 +610,7 @@ static int nft_match_large_dump(struct sk_buff *skb,
|
||||
}
|
||||
|
||||
static int nft_match_validate(const struct nft_ctx *ctx,
|
||||
const struct nft_expr *expr,
|
||||
const struct nft_data **data)
|
||||
const struct nft_expr *expr)
|
||||
{
|
||||
struct xt_match *match = expr->ops->data;
|
||||
unsigned int hook_mask = 0;
|
||||
|
||||
@ -8,7 +8,7 @@
|
||||
#include <linux/kernel.h>
|
||||
#include <linux/init.h>
|
||||
#include <linux/module.h>
|
||||
#include <linux/seqlock.h>
|
||||
#include <linux/u64_stats_sync.h>
|
||||
#include <linux/netlink.h>
|
||||
#include <linux/netfilter.h>
|
||||
#include <linux/netfilter/nf_tables.h>
|
||||
@ -17,6 +17,11 @@
|
||||
#include <net/netfilter/nf_tables_offload.h>
|
||||
|
||||
struct nft_counter {
|
||||
u64_stats_t bytes;
|
||||
u64_stats_t packets;
|
||||
};
|
||||
|
||||
struct nft_counter_tot {
|
||||
s64 bytes;
|
||||
s64 packets;
|
||||
};
|
||||
@ -25,25 +30,24 @@ struct nft_counter_percpu_priv {
|
||||
struct nft_counter __percpu *counter;
|
||||
};
|
||||
|
||||
static DEFINE_PER_CPU(seqcount_t, nft_counter_seq);
|
||||
static DEFINE_PER_CPU(struct u64_stats_sync, nft_counter_sync);
|
||||
|
||||
static inline void nft_counter_do_eval(struct nft_counter_percpu_priv *priv,
|
||||
struct nft_regs *regs,
|
||||
const struct nft_pktinfo *pkt)
|
||||
{
|
||||
struct u64_stats_sync *nft_sync;
|
||||
struct nft_counter *this_cpu;
|
||||
seqcount_t *myseq;
|
||||
|
||||
local_bh_disable();
|
||||
this_cpu = this_cpu_ptr(priv->counter);
|
||||
myseq = this_cpu_ptr(&nft_counter_seq);
|
||||
nft_sync = this_cpu_ptr(&nft_counter_sync);
|
||||
|
||||
write_seqcount_begin(myseq);
|
||||
u64_stats_update_begin(nft_sync);
|
||||
u64_stats_add(&this_cpu->bytes, pkt->skb->len);
|
||||
u64_stats_inc(&this_cpu->packets);
|
||||
u64_stats_update_end(nft_sync);
|
||||
|
||||
this_cpu->bytes += pkt->skb->len;
|
||||
this_cpu->packets++;
|
||||
|
||||
write_seqcount_end(myseq);
|
||||
local_bh_enable();
|
||||
}
|
||||
|
||||
@ -66,17 +70,16 @@ static int nft_counter_do_init(const struct nlattr * const tb[],
|
||||
if (cpu_stats == NULL)
|
||||
return -ENOMEM;
|
||||
|
||||
preempt_disable();
|
||||
this_cpu = this_cpu_ptr(cpu_stats);
|
||||
this_cpu = raw_cpu_ptr(cpu_stats);
|
||||
if (tb[NFTA_COUNTER_PACKETS]) {
|
||||
this_cpu->packets =
|
||||
be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
|
||||
u64_stats_set(&this_cpu->packets,
|
||||
be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS])));
|
||||
}
|
||||
if (tb[NFTA_COUNTER_BYTES]) {
|
||||
this_cpu->bytes =
|
||||
be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
|
||||
u64_stats_set(&this_cpu->bytes,
|
||||
be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES])));
|
||||
}
|
||||
preempt_enable();
|
||||
|
||||
priv->counter = cpu_stats;
|
||||
return 0;
|
||||
}
|
||||
@ -104,40 +107,41 @@ static void nft_counter_obj_destroy(const struct nft_ctx *ctx,
|
||||
}
|
||||
|
||||
static void nft_counter_reset(struct nft_counter_percpu_priv *priv,
|
||||
struct nft_counter *total)
|
||||
struct nft_counter_tot *total)
|
||||
{
|
||||
struct u64_stats_sync *nft_sync;
|
||||
struct nft_counter *this_cpu;
|
||||
seqcount_t *myseq;
|
||||
|
||||
local_bh_disable();
|
||||
this_cpu = this_cpu_ptr(priv->counter);
|
||||
myseq = this_cpu_ptr(&nft_counter_seq);
|
||||
nft_sync = this_cpu_ptr(&nft_counter_sync);
|
||||
|
||||
u64_stats_update_begin(nft_sync);
|
||||
u64_stats_add(&this_cpu->packets, -total->packets);
|
||||
u64_stats_add(&this_cpu->bytes, -total->bytes);
|
||||
u64_stats_update_end(nft_sync);
|
||||
|
||||
write_seqcount_begin(myseq);
|
||||
this_cpu->packets -= total->packets;
|
||||
this_cpu->bytes -= total->bytes;
|
||||
write_seqcount_end(myseq);
|
||||
local_bh_enable();
|
||||
}
|
||||
|
||||
static void nft_counter_fetch(struct nft_counter_percpu_priv *priv,
|
||||
struct nft_counter *total)
|
||||
struct nft_counter_tot *total)
|
||||
{
|
||||
struct nft_counter *this_cpu;
|
||||
const seqcount_t *myseq;
|
||||
u64 bytes, packets;
|
||||
unsigned int seq;
|
||||
int cpu;
|
||||
|
||||
memset(total, 0, sizeof(*total));
|
||||
for_each_possible_cpu(cpu) {
|
||||
myseq = per_cpu_ptr(&nft_counter_seq, cpu);
|
||||
struct u64_stats_sync *nft_sync = per_cpu_ptr(&nft_counter_sync, cpu);
|
||||
|
||||
this_cpu = per_cpu_ptr(priv->counter, cpu);
|
||||
do {
|
||||
seq = read_seqcount_begin(myseq);
|
||||
bytes = this_cpu->bytes;
|
||||
packets = this_cpu->packets;
|
||||
} while (read_seqcount_retry(myseq, seq));
|
||||
seq = u64_stats_fetch_begin(nft_sync);
|
||||
bytes = u64_stats_read(&this_cpu->bytes);
|
||||
packets = u64_stats_read(&this_cpu->packets);
|
||||
} while (u64_stats_fetch_retry(nft_sync, seq));
|
||||
|
||||
total->bytes += bytes;
|
||||
total->packets += packets;
|
||||
@ -148,7 +152,7 @@ static int nft_counter_do_dump(struct sk_buff *skb,
|
||||
struct nft_counter_percpu_priv *priv,
|
||||
bool reset)
|
||||
{
|
||||
struct nft_counter total;
|
||||
struct nft_counter_tot total;
|
||||
|
||||
nft_counter_fetch(priv, &total);
|
||||
|
||||
@ -237,7 +241,7 @@ static int nft_counter_clone(struct nft_expr *dst, const struct nft_expr *src, g
|
||||
struct nft_counter_percpu_priv *priv_clone = nft_expr_priv(dst);
|
||||
struct nft_counter __percpu *cpu_stats;
|
||||
struct nft_counter *this_cpu;
|
||||
struct nft_counter total;
|
||||
struct nft_counter_tot total;
|
||||
|
||||
nft_counter_fetch(priv, &total);
|
||||
|
||||
@ -245,11 +249,9 @@ static int nft_counter_clone(struct nft_expr *dst, const struct nft_expr *src, g
|
||||
if (cpu_stats == NULL)
|
||||
return -ENOMEM;
|
||||
|
||||
preempt_disable();
|
||||
this_cpu = this_cpu_ptr(cpu_stats);
|
||||
this_cpu->packets = total.packets;
|
||||
this_cpu->bytes = total.bytes;
|
||||
preempt_enable();
|
||||
this_cpu = raw_cpu_ptr(cpu_stats);
|
||||
u64_stats_set(&this_cpu->packets, total.packets);
|
||||
u64_stats_set(&this_cpu->bytes, total.bytes);
|
||||
|
||||
priv_clone->counter = cpu_stats;
|
||||
return 0;
|
||||
@ -267,17 +269,17 @@ static void nft_counter_offload_stats(struct nft_expr *expr,
|
||||
const struct flow_stats *stats)
|
||||
{
|
||||
struct nft_counter_percpu_priv *priv = nft_expr_priv(expr);
|
||||
struct u64_stats_sync *nft_sync;
|
||||
struct nft_counter *this_cpu;
|
||||
seqcount_t *myseq;
|
||||
|
||||
local_bh_disable();
|
||||
this_cpu = this_cpu_ptr(priv->counter);
|
||||
myseq = this_cpu_ptr(&nft_counter_seq);
|
||||
nft_sync = this_cpu_ptr(&nft_counter_sync);
|
||||
|
||||
write_seqcount_begin(myseq);
|
||||
this_cpu->packets += stats->pkts;
|
||||
this_cpu->bytes += stats->bytes;
|
||||
write_seqcount_end(myseq);
|
||||
u64_stats_update_begin(nft_sync);
|
||||
u64_stats_add(&this_cpu->packets, stats->pkts);
|
||||
u64_stats_add(&this_cpu->bytes, stats->bytes);
|
||||
u64_stats_update_end(nft_sync);
|
||||
local_bh_enable();
|
||||
}
|
||||
|
||||
@ -286,7 +288,7 @@ void nft_counter_init_seqcount(void)
|
||||
int cpu;
|
||||
|
||||
for_each_possible_cpu(cpu)
|
||||
seqcount_init(per_cpu_ptr(&nft_counter_seq, cpu));
|
||||
u64_stats_init(per_cpu_ptr(&nft_counter_sync, cpu));
|
||||
}
|
||||
|
||||
struct nft_expr_type nft_counter_type;
|
||||
|
||||
@ -56,7 +56,7 @@ static struct nft_elem_priv *nft_dynset_new(struct nft_set *set,
|
||||
if (!atomic_add_unless(&set->nelems, 1, set->size))
|
||||
return NULL;
|
||||
|
||||
timeout = priv->timeout ? : set->timeout;
|
||||
timeout = priv->timeout ? : READ_ONCE(set->timeout);
|
||||
elem_priv = nft_set_elem_init(set, &priv->tmpl,
|
||||
®s->data[priv->sreg_key], NULL,
|
||||
®s->data[priv->sreg_data],
|
||||
@ -94,9 +94,10 @@ void nft_dynset_eval(const struct nft_expr *expr,
|
||||
if (set->ops->update(set, ®s->data[priv->sreg_key], nft_dynset_new,
|
||||
expr, regs, &ext)) {
|
||||
if (priv->op == NFT_DYNSET_OP_UPDATE &&
|
||||
nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
|
||||
timeout = priv->timeout ? : set->timeout;
|
||||
*nft_set_ext_expiration(ext) = get_jiffies_64() + timeout;
|
||||
nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
|
||||
READ_ONCE(nft_set_ext_timeout(ext)->timeout) != 0) {
|
||||
timeout = priv->timeout ? : READ_ONCE(set->timeout);
|
||||
WRITE_ONCE(nft_set_ext_timeout(ext)->expiration, get_jiffies_64() + timeout);
|
||||
}
|
||||
|
||||
nft_set_elem_update_expr(ext, regs, pkt);
|
||||
@ -312,12 +313,9 @@ static int nft_dynset_init(const struct nft_ctx *ctx,
|
||||
if (priv->num_exprs)
|
||||
nft_dynset_ext_add_expr(priv);
|
||||
|
||||
if (set->flags & NFT_SET_TIMEOUT) {
|
||||
if (timeout || set->timeout) {
|
||||
nft_set_ext_add(&priv->tmpl, NFT_SET_EXT_TIMEOUT);
|
||||
nft_set_ext_add(&priv->tmpl, NFT_SET_EXT_EXPIRATION);
|
||||
}
|
||||
}
|
||||
if (set->flags & NFT_SET_TIMEOUT &&
|
||||
(timeout || READ_ONCE(set->timeout)))
|
||||
nft_set_ext_add(&priv->tmpl, NFT_SET_EXT_TIMEOUT);
|
||||
|
||||
priv->timeout = timeout;
|
||||
|
||||
|
||||
@ -26,8 +26,7 @@ const struct nla_policy nft_fib_policy[NFTA_FIB_MAX + 1] = {
|
||||
};
|
||||
EXPORT_SYMBOL(nft_fib_policy);
|
||||
|
||||
int nft_fib_validate(const struct nft_ctx *ctx, const struct nft_expr *expr,
|
||||
const struct nft_data **data)
|
||||
int nft_fib_validate(const struct nft_ctx *ctx, const struct nft_expr *expr)
|
||||
{
|
||||
const struct nft_fib *priv = nft_expr_priv(expr);
|
||||
unsigned int hooks;
|
||||
|
||||
@ -380,8 +380,7 @@ out:
|
||||
}
|
||||
|
||||
static int nft_flow_offload_validate(const struct nft_ctx *ctx,
|
||||
const struct nft_expr *expr,
|
||||
const struct nft_data **data)
|
||||
const struct nft_expr *expr)
|
||||
{
|
||||
unsigned int hook_mask = (1 << NF_INET_FORWARD);
|
||||
|
||||
|
||||
@ -204,8 +204,7 @@ nla_put_failure:
|
||||
}
|
||||
|
||||
static int nft_fwd_validate(const struct nft_ctx *ctx,
|
||||
const struct nft_expr *expr,
|
||||
const struct nft_data **data)
|
||||
const struct nft_expr *expr)
|
||||
{
|
||||
return nft_chain_validate_hooks(ctx->chain, (1 << NF_NETDEV_INGRESS) |
|
||||
(1 << NF_NETDEV_EGRESS));
|
||||
|
||||
@ -244,8 +244,7 @@ nla_put_failure:
|
||||
}
|
||||
|
||||
static int nft_immediate_validate(const struct nft_ctx *ctx,
|
||||
const struct nft_expr *expr,
|
||||
const struct nft_data **d)
|
||||
const struct nft_expr *expr)
|
||||
{
|
||||
const struct nft_immediate_expr *priv = nft_expr_priv(expr);
|
||||
struct nft_ctx *pctx = (struct nft_ctx *)ctx;
|
||||
|
||||
@ -206,8 +206,7 @@ nla_put_failure:
|
||||
}
|
||||
|
||||
static int nft_lookup_validate(const struct nft_ctx *ctx,
|
||||
const struct nft_expr *expr,
|
||||
const struct nft_data **d)
|
||||
const struct nft_expr *expr)
|
||||
{
|
||||
const struct nft_lookup *priv = nft_expr_priv(expr);
|
||||
struct nft_set_iter iter;
|
||||
|
||||
@ -27,8 +27,7 @@ static const struct nla_policy nft_masq_policy[NFTA_MASQ_MAX + 1] = {
|
||||
};
|
||||
|
||||
static int nft_masq_validate(const struct nft_ctx *ctx,
|
||||
const struct nft_expr *expr,
|
||||
const struct nft_data **data)
|
||||
const struct nft_expr *expr)
|
||||
{
|
||||
int err;
|
||||
|
||||
|
||||
@ -581,8 +581,7 @@ static int nft_meta_get_validate_xfrm(const struct nft_ctx *ctx)
|
||||
}
|
||||
|
||||
static int nft_meta_get_validate(const struct nft_ctx *ctx,
|
||||
const struct nft_expr *expr,
|
||||
const struct nft_data **data)
|
||||
const struct nft_expr *expr)
|
||||
{
|
||||
const struct nft_meta *priv = nft_expr_priv(expr);
|
||||
|
||||
@ -600,8 +599,7 @@ static int nft_meta_get_validate(const struct nft_ctx *ctx,
|
||||
}
|
||||
|
||||
int nft_meta_set_validate(const struct nft_ctx *ctx,
|
||||
const struct nft_expr *expr,
|
||||
const struct nft_data **data)
|
||||
const struct nft_expr *expr)
|
||||
{
|
||||
struct nft_meta *priv = nft_expr_priv(expr);
|
||||
unsigned int hooks;
|
||||
|
||||
@ -137,8 +137,7 @@ static const struct nla_policy nft_nat_policy[NFTA_NAT_MAX + 1] = {
|
||||
};
|
||||
|
||||
static int nft_nat_validate(const struct nft_ctx *ctx,
|
||||
const struct nft_expr *expr,
|
||||
const struct nft_data **data)
|
||||
const struct nft_expr *expr)
|
||||
{
|
||||
struct nft_nat *priv = nft_expr_priv(expr);
|
||||
int err;
|
||||
|
||||
@ -108,8 +108,7 @@ nla_put_failure:
|
||||
}
|
||||
|
||||
static int nft_osf_validate(const struct nft_ctx *ctx,
|
||||
const struct nft_expr *expr,
|
||||
const struct nft_data **data)
|
||||
const struct nft_expr *expr)
|
||||
{
|
||||
unsigned int hooks;
|
||||
|
||||
|
||||
@ -69,8 +69,7 @@ static void nft_queue_sreg_eval(const struct nft_expr *expr,
|
||||
}
|
||||
|
||||
static int nft_queue_validate(const struct nft_ctx *ctx,
|
||||
const struct nft_expr *expr,
|
||||
const struct nft_data **data)
|
||||
const struct nft_expr *expr)
|
||||
{
|
||||
static const unsigned int supported_hooks = ((1 << NF_INET_PRE_ROUTING) |
|
||||
(1 << NF_INET_LOCAL_IN) |
|
||||
|
||||
@ -27,8 +27,7 @@ static const struct nla_policy nft_redir_policy[NFTA_REDIR_MAX + 1] = {
|
||||
};
|
||||
|
||||
static int nft_redir_validate(const struct nft_ctx *ctx,
|
||||
const struct nft_expr *expr,
|
||||
const struct nft_data **data)
|
||||
const struct nft_expr *expr)
|
||||
{
|
||||
int err;
|
||||
|
||||
|
||||
@ -24,8 +24,7 @@ const struct nla_policy nft_reject_policy[NFTA_REJECT_MAX + 1] = {
|
||||
EXPORT_SYMBOL_GPL(nft_reject_policy);
|
||||
|
||||
int nft_reject_validate(const struct nft_ctx *ctx,
|
||||
const struct nft_expr *expr,
|
||||
const struct nft_data **data)
|
||||
const struct nft_expr *expr)
|
||||
{
|
||||
return nft_chain_validate_hooks(ctx->chain,
|
||||
(1 << NF_INET_LOCAL_IN) |
|
||||
|
||||
@ -61,8 +61,7 @@ static void nft_reject_inet_eval(const struct nft_expr *expr,
|
||||
}
|
||||
|
||||
static int nft_reject_inet_validate(const struct nft_ctx *ctx,
|
||||
const struct nft_expr *expr,
|
||||
const struct nft_data **data)
|
||||
const struct nft_expr *expr)
|
||||
{
|
||||
return nft_chain_validate_hooks(ctx->chain,
|
||||
(1 << NF_INET_LOCAL_IN) |
|
||||
|
||||
@ -145,8 +145,7 @@ out:
|
||||
}
|
||||
|
||||
static int nft_reject_netdev_validate(const struct nft_ctx *ctx,
|
||||
const struct nft_expr *expr,
|
||||
const struct nft_data **data)
|
||||
const struct nft_expr *expr)
|
||||
{
|
||||
return nft_chain_validate_hooks(ctx->chain, (1 << NF_NETDEV_INGRESS));
|
||||
}
|
||||
|
||||
@ -160,8 +160,7 @@ nla_put_failure:
|
||||
return -1;
|
||||
}
|
||||
|
||||
static int nft_rt_validate(const struct nft_ctx *ctx, const struct nft_expr *expr,
|
||||
const struct nft_data **data)
|
||||
static int nft_rt_validate(const struct nft_ctx *ctx, const struct nft_expr *expr)
|
||||
{
|
||||
const struct nft_rt *priv = nft_expr_priv(expr);
|
||||
unsigned int hooks;
|
||||
|
||||
@ -239,8 +239,7 @@ static bool nft_socket_reduce(struct nft_regs_track *track,
|
||||
}
|
||||
|
||||
static int nft_socket_validate(const struct nft_ctx *ctx,
|
||||
const struct nft_expr *expr,
|
||||
const struct nft_data **data)
|
||||
const struct nft_expr *expr)
|
||||
{
|
||||
if (ctx->family != NFPROTO_IPV4 &&
|
||||
ctx->family != NFPROTO_IPV6 &&
|
||||
|
||||
@ -248,8 +248,7 @@ static void nft_synproxy_eval(const struct nft_expr *expr,
|
||||
}
|
||||
|
||||
static int nft_synproxy_validate(const struct nft_ctx *ctx,
|
||||
const struct nft_expr *expr,
|
||||
const struct nft_data **data)
|
||||
const struct nft_expr *expr)
|
||||
{
|
||||
if (ctx->family != NFPROTO_IPV4 &&
|
||||
ctx->family != NFPROTO_IPV6 &&
|
||||
|
||||
@ -313,8 +313,7 @@ static int nft_tproxy_dump(struct sk_buff *skb,
|
||||
}
|
||||
|
||||
static int nft_tproxy_validate(const struct nft_ctx *ctx,
|
||||
const struct nft_expr *expr,
|
||||
const struct nft_data **data)
|
||||
const struct nft_expr *expr)
|
||||
{
|
||||
if (ctx->family != NFPROTO_IPV4 &&
|
||||
ctx->family != NFPROTO_IPV6 &&
|
||||
|
||||
@ -229,8 +229,7 @@ static int nft_xfrm_get_dump(struct sk_buff *skb,
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int nft_xfrm_validate(const struct nft_ctx *ctx, const struct nft_expr *expr,
|
||||
const struct nft_data **data)
|
||||
static int nft_xfrm_validate(const struct nft_ctx *ctx, const struct nft_expr *expr)
|
||||
{
|
||||
const struct nft_xfrm *priv = nft_expr_priv(expr);
|
||||
unsigned int hooks;
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user