@@ -223,6 +223,8 @@ struct nft_ctx {
bool report;
};
+void nft_commit_notify(struct net *net, u32 portid);
+
enum nft_data_desc_flags {
NFT_DATA_DESC_SETELEM = (1 << 0),
};
@@ -1123,6 +1125,8 @@ int nft_setelem_validate(const struct nft_ctx *ctx, struct nft_set *set,
int nft_set_catchall_validate(const struct nft_ctx *ctx, struct nft_set *set);
int nf_tables_bind_chain(const struct nft_ctx *ctx, struct nft_chain *chain);
void nf_tables_unbind_chain(const struct nft_ctx *ctx, struct nft_chain *chain);
+void nf_tables_chain_notify(const struct nft_ctx *ctx, int event,
+ const struct list_head *hook_list);
enum nft_chain_types {
NFT_CHAIN_T_DEFAULT = 0,
@@ -1903,8 +1903,8 @@ static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
return -1;
}
-static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event,
- const struct list_head *hook_list)
+void nf_tables_chain_notify(const struct nft_ctx *ctx, int event,
+ const struct list_head *hook_list)
{
struct nftables_pernet *nft_net;
struct sk_buff *skb;
@@ -9246,6 +9246,7 @@ static int nf_tables_flowtable_event(struct notifier_block *this,
struct nftables_pernet *nft_net;
struct nft_table *table;
struct net *net;
+ int rc = 0;
if (event == NETDEV_CHANGENAME) {
nf_tables_flowtable_event(this, NETDEV_UNREGISTER, ptr);
@@ -9260,11 +9261,23 @@ static int nf_tables_flowtable_event(struct notifier_block *this,
mutex_lock(&nft_net->commit_mutex);
list_for_each_entry(table, &nft_net->tables, list) {
list_for_each_entry(flowtable, &table->flowtables, list) {
- if (nft_flowtable_event(event, dev, flowtable))
+ rc = nft_flowtable_event(event, dev, flowtable);
+ if (rc)
goto out_unlock;
}
}
out_unlock:
+ if (rc == 1) {
+ struct nft_ctx ctx = {
+ .net = net,
+ .family = flowtable->table->family
+ };
+
+ nf_tables_flowtable_notify(&ctx, flowtable,
+ &flowtable->hook_list,
+ NFT_MSG_NEWFLOWTABLE);
+ nft_commit_notify(ctx.net, ctx.portid);
+ }
mutex_unlock(&nft_net->commit_mutex);
return NOTIFY_DONE;
@@ -10148,7 +10161,7 @@ static void nf_tables_commit_release(struct net *net)
mutex_unlock(&nft_net->commit_mutex);
}
-static void nft_commit_notify(struct net *net, u32 portid)
+void nft_commit_notify(struct net *net, u32 portid)
{
struct nftables_pernet *nft_net = nft_pernet(net);
struct sk_buff *batch_skb = NULL, *nskb, *skb;
@@ -342,6 +342,7 @@ static void nft_netdev_event(unsigned long event, struct net_device *dev,
{
struct nft_base_chain *basechain = nft_base_chain(ctx->chain);
struct nft_hook *hook;
+ bool notify = false;
if (event != NETDEV_UNREGISTER &&
event != NETDEV_REGISTER)
@@ -350,21 +351,29 @@ static void nft_netdev_event(unsigned long event, struct net_device *dev,
list_for_each_entry(hook, &basechain->hook_list, list) {
switch (event) {
case NETDEV_UNREGISTER:
- if (hook->ops.dev == dev)
+ if (hook->ops.dev == dev) {
nft_netdev_hook_dev_update(hook, NULL);
+ notify = true;
+ }
break;
case NETDEV_REGISTER:
if (hook->ops.dev ||
strncmp(hook->ifname, dev->name, hook->ifnamelen))
break;
- if (!nft_netdev_hook_dev_update(hook, dev))
- return;
+ if (!nft_netdev_hook_dev_update(hook, dev)) {
+ notify = true;
+ goto out_notify;
+ }
printk(KERN_ERR "chain %s: Can't hook into device %s\n",
ctx->chain->name, dev->name);
break;
}
}
+out_notify:
+ if (notify)
+ nf_tables_chain_notify(ctx, NFT_MSG_NEWCHAIN,
+ &basechain->hook_list);
}
static int nf_tables_netdev_event(struct notifier_block *this,
@@ -409,6 +418,7 @@ static int nf_tables_netdev_event(struct notifier_block *this,
nft_netdev_event(event, dev, &ctx);
}
}
+ nft_commit_notify(ctx.net, ctx.portid);
mutex_unlock(&nft_net->commit_mutex);
return NOTIFY_DONE;
If netdev hooks are updated due to netdev add/remove events, notify user space via the usual netlink notification mechanism. Signed-off-by: Phil Sutter <phil@nwl.cc> --- include/net/netfilter/nf_tables.h | 4 ++++ net/netfilter/nf_tables_api.c | 21 +++++++++++++++++---- net/netfilter/nft_chain_filter.c | 16 +++++++++++++--- 3 files changed, 34 insertions(+), 7 deletions(-)