mbox series

[nf-next,v3,00/16] Dynamic hook interface binding

Message ID 20240912122148.12159-1-phil@nwl.cc
Headers show
Series Dynamic hook interface binding | expand

Message

Phil Sutter Sept. 12, 2024, 12:21 p.m. UTC 
Changes since v2:
- Practically complete rewrite with wildcard interface spec support

The first two patches of this series are fixes to existing code but
cause conflicts if not applied in order. They may go into nf tree as
well, though only the first one is a real bug and seems to be of low
impact.

The next three patches introduce external storing of the user-supplied
interface name in nft_hook structs to decouple code from values in
->ops.dev or ->ops value in general.

Patch 6 eliminates a quirk in netdev-family chain netdev event handler,
aligns behaviour with flowtables and paves the way for following
changes.

Patches 7-10 prepare for and implement nf_hook_ops lists in nft_hook
objects. This is crucial for wildcard interface specs and convenient
with dynamic netdev hook registration upon NETDEV_REGISTER events.

Patches 11-13 leverage the new infrastructure to correctly handle
NETDEV_REGISTER and NETDEV_CHANGENAME events.

Patch 14 prepares the code for non-NUL-terminated interface names passed
by user space which resemble prefixes to match on. As a side-effect,
hook allocation code becomes tolerant to non-matching interface specs.

The final two patches implement netlink notifications for netdev
add/remove events and add a kselftest.

Phil Sutter (16):
  netfilter: nf_tables: Keep deleted flowtable hooks until after RCU
  netfilter: nf_tables: Flowtable hook's pf value never varies
  netfilter: nf_tables: Store user-defined hook ifname
  netfilter: nf_tables: Use stored ifname in netdev hook dumps
  netfilter: nf_tables: Compare netdev hooks based on stored name
  netfilter: nf_tables: Tolerate chains with no remaining hooks
  netfilter: nf_tables: Introduce functions freeing nft_hook objects
  netfilter: nf_tables: Introduce nft_hook_find_ops()
  netfilter: nf_tables: Introduce nft_register_flowtable_ops()
  netfilter: nf_tables: Have a list of nf_hook_ops in nft_hook
  netfilter: nf_tables: chain: Respect NETDEV_REGISTER events
  netfilter: nf_tables: flowtable: Respect NETDEV_REGISTER events
  netfilter: nf_tables: Handle NETDEV_CHANGENAME events
  netfilter: nf_tables: Support wildcard netdev hook specs
  netfilter: nf_tables: Add notications for hook changes
  selftests: netfilter: Torture nftables netdev hooks

 include/linux/netfilter.h                     |   2 +
 include/net/netfilter/nf_tables.h             |  11 +-
 include/uapi/linux/netfilter/nf_tables.h      |   5 +
 net/netfilter/nf_tables_api.c                 | 386 +++++++++++++-----
 net/netfilter/nf_tables_offload.c             |  51 ++-
 net/netfilter/nft_chain_filter.c              |  64 +--
 net/netfilter/nft_flow_offload.c              |   2 +-
 .../testing/selftests/net/netfilter/Makefile  |   1 +
 .../net/netfilter/nft_interface_stress.sh     | 149 +++++++
 9 files changed, 508 insertions(+), 163 deletions(-)
 create mode 100755 tools/testing/selftests/net/netfilter/nft_interface_stress.sh