Commit 07114590 authored by David S. Miller's avatar David S. Miller

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next

Pablo Neira Ayuso says:

====================
Netfilter updates for net-next

The following patchset contains Netfilter updates for net-next:

1) Add support for the catch-all set element. This special element
   can be used to define a default action to be applied in case that
   the set lookup returns no matching element.

2) Fix incorrect #ifdef dependencies in the nftables cgroupsv2
   support, from Arnd Bergmann.
====================
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 69e16d01 7acc0bb4
...@@ -497,6 +497,7 @@ struct nft_set { ...@@ -497,6 +497,7 @@ struct nft_set {
u8 dlen; u8 dlen;
u8 num_exprs; u8 num_exprs;
struct nft_expr *exprs[NFT_SET_EXPR_MAX]; struct nft_expr *exprs[NFT_SET_EXPR_MAX];
struct list_head catchall_list;
unsigned char data[] unsigned char data[]
__attribute__((aligned(__alignof__(u64)))); __attribute__((aligned(__alignof__(u64))));
}; };
...@@ -522,6 +523,10 @@ struct nft_set *nft_set_lookup_global(const struct net *net, ...@@ -522,6 +523,10 @@ struct nft_set *nft_set_lookup_global(const struct net *net,
const struct nlattr *nla_set_id, const struct nlattr *nla_set_id,
u8 genmask); u8 genmask);
struct nft_set_ext *nft_set_catchall_lookup(const struct net *net,
const struct nft_set *set);
void *nft_set_catchall_gc(const struct nft_set *set);
static inline unsigned long nft_set_gc_interval(const struct nft_set *set) static inline unsigned long nft_set_gc_interval(const struct nft_set *set)
{ {
return set->gc_int ? msecs_to_jiffies(set->gc_int) : HZ; return set->gc_int ? msecs_to_jiffies(set->gc_int) : HZ;
......
...@@ -398,9 +398,11 @@ enum nft_set_attributes { ...@@ -398,9 +398,11 @@ enum nft_set_attributes {
* enum nft_set_elem_flags - nf_tables set element flags * enum nft_set_elem_flags - nf_tables set element flags
* *
* @NFT_SET_ELEM_INTERVAL_END: element ends the previous interval * @NFT_SET_ELEM_INTERVAL_END: element ends the previous interval
* @NFT_SET_ELEM_CATCHALL: special catch-all element
*/ */
enum nft_set_elem_flags { enum nft_set_elem_flags {
NFT_SET_ELEM_INTERVAL_END = 0x1, NFT_SET_ELEM_INTERVAL_END = 0x1,
NFT_SET_ELEM_CATCHALL = 0x2,
}; };
/** /**
......
This diff is collapsed.
...@@ -30,13 +30,17 @@ void nft_lookup_eval(const struct nft_expr *expr, ...@@ -30,13 +30,17 @@ void nft_lookup_eval(const struct nft_expr *expr,
const struct nft_lookup *priv = nft_expr_priv(expr); const struct nft_lookup *priv = nft_expr_priv(expr);
const struct nft_set *set = priv->set; const struct nft_set *set = priv->set;
const struct nft_set_ext *ext = NULL; const struct nft_set_ext *ext = NULL;
const struct net *net = nft_net(pkt);
bool found; bool found;
found = set->ops->lookup(nft_net(pkt), set, &regs->data[priv->sreg], found = set->ops->lookup(net, set, &regs->data[priv->sreg], &ext) ^
&ext) ^ priv->invert; priv->invert;
if (!found) { if (!found) {
regs->verdict.code = NFT_BREAK; ext = nft_set_catchall_lookup(net, set);
return; if (!ext) {
regs->verdict.code = NFT_BREAK;
return;
}
} }
if (ext) { if (ext) {
......
...@@ -105,15 +105,18 @@ static void nft_objref_map_eval(const struct nft_expr *expr, ...@@ -105,15 +105,18 @@ static void nft_objref_map_eval(const struct nft_expr *expr,
{ {
struct nft_objref_map *priv = nft_expr_priv(expr); struct nft_objref_map *priv = nft_expr_priv(expr);
const struct nft_set *set = priv->set; const struct nft_set *set = priv->set;
struct net *net = nft_net(pkt);
const struct nft_set_ext *ext; const struct nft_set_ext *ext;
struct nft_object *obj; struct nft_object *obj;
bool found; bool found;
found = set->ops->lookup(nft_net(pkt), set, &regs->data[priv->sreg], found = set->ops->lookup(net, set, &regs->data[priv->sreg], &ext);
&ext);
if (!found) { if (!found) {
regs->verdict.code = NFT_BREAK; ext = nft_set_catchall_lookup(net, set);
return; if (!ext) {
regs->verdict.code = NFT_BREAK;
return;
}
} }
obj = *nft_set_ext_obj(ext); obj = *nft_set_ext_obj(ext);
obj->ops->eval(obj, regs, pkt); obj->ops->eval(obj, regs, pkt);
......
...@@ -350,6 +350,12 @@ static void nft_rhash_gc(struct work_struct *work) ...@@ -350,6 +350,12 @@ static void nft_rhash_gc(struct work_struct *work)
rhashtable_walk_stop(&hti); rhashtable_walk_stop(&hti);
rhashtable_walk_exit(&hti); rhashtable_walk_exit(&hti);
he = nft_set_catchall_gc(set);
if (he) {
gcb = nft_set_gc_batch_check(set, gcb, GFP_ATOMIC);
if (gcb)
nft_set_gc_batch_add(gcb, he);
}
nft_set_gc_batch_complete(gcb); nft_set_gc_batch_complete(gcb);
queue_delayed_work(system_power_efficient_wq, &priv->gc_work, queue_delayed_work(system_power_efficient_wq, &priv->gc_work,
nft_set_gc_interval(set)); nft_set_gc_interval(set));
......
...@@ -1529,11 +1529,11 @@ static void pipapo_gc(const struct nft_set *set, struct nft_pipapo_match *m) ...@@ -1529,11 +1529,11 @@ static void pipapo_gc(const struct nft_set *set, struct nft_pipapo_match *m)
{ {
struct nft_pipapo *priv = nft_set_priv(set); struct nft_pipapo *priv = nft_set_priv(set);
int rules_f0, first_rule = 0; int rules_f0, first_rule = 0;
struct nft_pipapo_elem *e;
while ((rules_f0 = pipapo_rules_same_key(m->f, first_rule))) { while ((rules_f0 = pipapo_rules_same_key(m->f, first_rule))) {
union nft_pipapo_map_bucket rulemap[NFT_PIPAPO_MAX_FIELDS]; union nft_pipapo_map_bucket rulemap[NFT_PIPAPO_MAX_FIELDS];
struct nft_pipapo_field *f; struct nft_pipapo_field *f;
struct nft_pipapo_elem *e;
int i, start, rules_fx; int i, start, rules_fx;
start = first_rule; start = first_rule;
...@@ -1569,6 +1569,10 @@ static void pipapo_gc(const struct nft_set *set, struct nft_pipapo_match *m) ...@@ -1569,6 +1569,10 @@ static void pipapo_gc(const struct nft_set *set, struct nft_pipapo_match *m)
} }
} }
e = nft_set_catchall_gc(set);
if (e)
nft_set_elem_destroy(set, e, true);
priv->last_gc = jiffies; priv->last_gc = jiffies;
} }
......
...@@ -541,6 +541,12 @@ static void nft_rbtree_gc(struct work_struct *work) ...@@ -541,6 +541,12 @@ static void nft_rbtree_gc(struct work_struct *work)
write_seqcount_end(&priv->count); write_seqcount_end(&priv->count);
write_unlock_bh(&priv->lock); write_unlock_bh(&priv->lock);
rbe = nft_set_catchall_gc(set);
if (rbe) {
gcb = nft_set_gc_batch_check(set, gcb, GFP_ATOMIC);
if (gcb)
nft_set_gc_batch_add(gcb, rbe);
}
nft_set_gc_batch_complete(gcb); nft_set_gc_batch_complete(gcb);
queue_delayed_work(system_power_efficient_wq, &priv->gc_work, queue_delayed_work(system_power_efficient_wq, &priv->gc_work,
......
...@@ -34,7 +34,7 @@ static void nft_socket_wildcard(const struct nft_pktinfo *pkt, ...@@ -34,7 +34,7 @@ static void nft_socket_wildcard(const struct nft_pktinfo *pkt,
} }
} }
#ifdef CONFIG_CGROUPS #ifdef CONFIG_SOCK_CGROUP_DATA
static noinline bool static noinline bool
nft_sock_get_eval_cgroupv2(u32 *dest, const struct nft_pktinfo *pkt, u32 level) nft_sock_get_eval_cgroupv2(u32 *dest, const struct nft_pktinfo *pkt, u32 level)
{ {
...@@ -106,7 +106,7 @@ static void nft_socket_eval(const struct nft_expr *expr, ...@@ -106,7 +106,7 @@ static void nft_socket_eval(const struct nft_expr *expr,
} }
nft_socket_wildcard(pkt, regs, sk, dest); nft_socket_wildcard(pkt, regs, sk, dest);
break; break;
#ifdef CONFIG_CGROUPS #ifdef CONFIG_SOCK_CGROUP_DATA
case NFT_SOCKET_CGROUPV2: case NFT_SOCKET_CGROUPV2:
if (!nft_sock_get_eval_cgroupv2(dest, pkt, priv->level)) { if (!nft_sock_get_eval_cgroupv2(dest, pkt, priv->level)) {
regs->verdict.code = NFT_BREAK; regs->verdict.code = NFT_BREAK;
...@@ -134,7 +134,7 @@ static int nft_socket_init(const struct nft_ctx *ctx, ...@@ -134,7 +134,7 @@ static int nft_socket_init(const struct nft_ctx *ctx,
const struct nlattr * const tb[]) const struct nlattr * const tb[])
{ {
struct nft_socket *priv = nft_expr_priv(expr); struct nft_socket *priv = nft_expr_priv(expr);
unsigned int len, level; unsigned int len;
if (!tb[NFTA_SOCKET_DREG] || !tb[NFTA_SOCKET_KEY]) if (!tb[NFTA_SOCKET_DREG] || !tb[NFTA_SOCKET_KEY])
return -EINVAL; return -EINVAL;
...@@ -160,7 +160,9 @@ static int nft_socket_init(const struct nft_ctx *ctx, ...@@ -160,7 +160,9 @@ static int nft_socket_init(const struct nft_ctx *ctx,
len = sizeof(u32); len = sizeof(u32);
break; break;
#ifdef CONFIG_CGROUPS #ifdef CONFIG_CGROUPS
case NFT_SOCKET_CGROUPV2: case NFT_SOCKET_CGROUPV2: {
unsigned int level;
if (!tb[NFTA_SOCKET_LEVEL]) if (!tb[NFTA_SOCKET_LEVEL])
return -EINVAL; return -EINVAL;
...@@ -171,6 +173,7 @@ static int nft_socket_init(const struct nft_ctx *ctx, ...@@ -171,6 +173,7 @@ static int nft_socket_init(const struct nft_ctx *ctx,
priv->level = level; priv->level = level;
len = sizeof(u64); len = sizeof(u64);
break; break;
}
#endif #endif
default: default:
return -EOPNOTSUPP; return -EOPNOTSUPP;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment