From patchwork Thu Sep 12 12:21:33 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1984659 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=WgNdMmRg; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=147.75.80.249; helo=am.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-3830-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from am.mirrors.kernel.org (am.mirrors.kernel.org [147.75.80.249]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4X4HHK0LNrz1y1C for ; Thu, 12 Sep 2024 22:46:05 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id A17BF1F226D6 for ; Thu, 12 Sep 2024 12:46:02 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id D5B6F1A2639; Thu, 12 Sep 2024 12:45:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="WgNdMmRg" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CCD9F1AB6F1 for ; Thu, 12 Sep 2024 12:45:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1726145115; cv=none; b=G7WfwsnKsyZEVhqmc3MU3lhfmAl0whLr0erMiHO8yQ/iH2ay7qGMV/6ShJ/gAaECOAESBz0rHky9FAwlAnG+z5hLzNLSwd2+LY/6ysMFuAdfHizTq9QL27SOzH4ZzZ/IHc9lvVlZSzxBCWhSWnRF14X8QxTQR7Yc4jGYOL40T/4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1726145115; c=relaxed/simple; bh=8uPB9P6eBwvT20Y8b98hCkrA7UAFc1OnTcz/x+zC+d8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=FVeRdpgMFX18GeBsF6q1fZvokuNCQeZp4eTqEp+nJcLmOOZSPoxhy2ZojfES9GFN08Q7poNkkx6rP6vIyf2OBoZ/0YhbXLvlIh2TwnnEK9cDbHuvSx9lomTDj4bVW3TsnmhMtB9xri2Csw0199A6q6GkFubyeKSrU3XwwitYNbY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=WgNdMmRg; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=yfJMHa0h1XWBwCoMRQ4pVotEzX9M24TwcHafwOVt+4g=; b=WgNdMmRg1+HhzT0OY51G7ehICN 9xgJn1eKzQtXDecYJXI8pMz/lKLZ39B/MtKM8wW5BMBT5MKrl98Fc8YV6JFXwmRDps8DNbK0KzNF8 Dpt2kP1l0LCF/zxtM5Te7z6bI4qFAE0/l5AUyXExGBIp0Z9r5K2kjoeR5Q1IBxq4aJpdiuMFYuo1x h9FlhBQqGLvCJFnPOJ81WSqvyQ2rdiJAYFLyu9RpFDnMc2krB84oizB6hFrtA1OdnD/pCI2JEuk/F Vk2WCg9NJpzQ3w+KD5CYlf8hhs1o3pBYyrdmGvOkMa1BBoC9lX1PlxsHum5W3TgYwXtbCCzt3Cmte Tu34JTsw==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97.1) (envelope-from ) id 1soiph-000000004E3-0vqC; Thu, 12 Sep 2024 14:21:57 +0200 From: Phil Sutter To: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org, Florian Westphal , Eric Garver Subject: [nf-next PATCH v3 01/16] netfilter: nf_tables: Keep deleted flowtable hooks until after RCU Date: Thu, 12 Sep 2024 14:21:33 +0200 Message-ID: <20240912122148.12159-2-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240912122148.12159-1-phil@nwl.cc> References: <20240912122148.12159-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Documentation of list_del_rcu() warns callers to not immediately free the deleted list item. While it seems not necessary to use the RCU-variant of list_del() here in the first place, doing so seems to require calling kfree_rcu() on the deleted item as well. Fixes: 3f0465a9ef02 ("netfilter: nf_tables: dynamically allocate hooks per net_device in flowtables") Signed-off-by: Phil Sutter --- net/netfilter/nf_tables_api.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index b6547fe22bd8..2982f49b6d55 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -9180,7 +9180,7 @@ static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable) flowtable->data.type->setup(&flowtable->data, hook->ops.dev, FLOW_BLOCK_UNBIND); list_del_rcu(&hook->list); - kfree(hook); + kfree_rcu(hook, rcu); } kfree(flowtable->name); module_put(flowtable->data.type->owner); From patchwork Thu Sep 12 12:21:34 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1984651 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=UN6aA2R4; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=147.75.199.223; helo=ny.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-3824-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org [147.75.199.223]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4X4Glm0qGRz1y28 for ; Thu, 12 Sep 2024 22:22:12 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 08E461C2366E for ; Thu, 12 Sep 2024 12:22:10 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id AAD6F1A3039; Thu, 12 Sep 2024 12:22:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="UN6aA2R4" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A4B0A1A2C04 for ; Thu, 12 Sep 2024 12:22:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1726143725; cv=none; b=GpBVPG6vze9CmeqYzqL25J6zQZfouNRIjm1PnScKG5UjNn+f5c24cAZtfQ6x8FBr6K0nniuTAUf9qgupaBECSMfZLD0kXrQIc3cuKxpgc16APy0Xy/PqNjjslMr8LByID8wFt/aZf76fWi9sRbhXOex4n26RhzpykNKEUbRUvEw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1726143725; c=relaxed/simple; bh=3cpSYypN2KJO3P8D84SoU1p+GivrQnLO0F7OLzu7uBY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=PShilh9idldD8SgASFGR9ix3/bTnkEiA1rrP8vHBeLoGRxAb38DDBR0B52Fa8HIIW0aJzJ7UrYmoyB+kYYeabWptedUTWP1UCw/7dKG/iLK7iEqPKCU2/J8+AuYXIl5oqbkrY0GhWK94i7kaBAY/+1A1pREidZEN1MfSan2Sxb0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=UN6aA2R4; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=4A6IFX5iIOVX2WzyRxTIVS8kTvcU5JYQlY6tAvgX/qA=; b=UN6aA2R4H308leMaiH6SsDPrFi hv8FZ0SQQ4eyKAUDLgu2qUBCY/lluBwQaNvMtS/yJTl79eg9pghDHDwW8RCrP6kF2YKE0DeOZSd3U 12YEd8+Gnu9zGDlivbRLNdKsUGYyovAHHBfrGb+k4foov9RwLylsNLFfeNKrMgU32U1rjHND7qgWJ ms1hJnqV7e+6GGe8/EOF9yfpCJtlsnaDlgfCwjPJdQnCqcShyah3hNsiZdCRj8cLGbgpKmkiaIUTo 0VZdlNGKZfO2/3/6QOxxtD/7g5OPuZaf2PvcBuG7vCvFnuTJj3V2tZlvxegW+GeZbSnuRbvv3GGNR lOtSnuxQ==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97.1) (envelope-from ) id 1soipl-000000004Ew-3N4Q; Thu, 12 Sep 2024 14:22:01 +0200 From: Phil Sutter To: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org, Florian Westphal , Eric Garver Subject: [nf-next PATCH v3 02/16] netfilter: nf_tables: Flowtable hook's pf value never varies Date: Thu, 12 Sep 2024 14:21:34 +0200 Message-ID: <20240912122148.12159-3-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240912122148.12159-1-phil@nwl.cc> References: <20240912122148.12159-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 When checking for duplicate hooks in nft_register_flowtable_net_hooks(), comparing ops.pf value is pointless as it is always NFPROTO_NETDEV with flowtable hooks. Dropping the check leaves the search identical to the one in nft_hook_list_find() so call that function instead of open coding. Fixes: 3f0465a9ef02 ("netfilter: nf_tables: dynamically allocate hooks per net_device in flowtables") Signed-off-by: Phil Sutter --- net/netfilter/nf_tables_api.c | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 2982f49b6d55..3ffb728309af 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -8544,7 +8544,7 @@ static int nft_register_flowtable_net_hooks(struct net *net, struct list_head *hook_list, struct nft_flowtable *flowtable) { - struct nft_hook *hook, *hook2, *next; + struct nft_hook *hook, *next; struct nft_flowtable *ft; int err, i = 0; @@ -8553,12 +8553,9 @@ static int nft_register_flowtable_net_hooks(struct net *net, if (!nft_is_active_next(net, ft)) continue; - list_for_each_entry(hook2, &ft->hook_list, list) { - if (hook->ops.dev == hook2->ops.dev && - hook->ops.pf == hook2->ops.pf) { - err = -EEXIST; - goto err_unregister_net_hooks; - } + if (nft_hook_list_find(&ft->hook_list, hook)) { + err = -EEXIST; + goto err_unregister_net_hooks; } } From patchwork Thu Sep 12 12:21:35 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1984660 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=Uj+4EMQC; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:4601:e00::3; helo=am.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-3831-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from am.mirrors.kernel.org (am.mirrors.kernel.org [IPv6:2604:1380:4601:e00::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4X4HHY18Ppz1y1C for ; Thu, 12 Sep 2024 22:46:17 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 11B7A1F24673 for ; Thu, 12 Sep 2024 12:46:15 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 113711A704B; Thu, 12 Sep 2024 12:45:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="Uj+4EMQC" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 21FD21AB6FD for ; Thu, 12 Sep 2024 12:45:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1726145118; cv=none; b=V1JSg8+84OOhdFCNc8ytpDqQBJBujeAXentb7T9/GUa2wQMnQbyHwhnlWvSOCfRrOP9KyDU10StLgawzGjQCv+3bF699ujZNZF34Cnw6wdgQLesFoxrZM1ROxIzNYMyeizf34yjEvUgBzX7KjoTPJSD7UjCHjqbRz7I7DRbefy4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1726145118; c=relaxed/simple; bh=EXdRuAQD8XMHHhIzTdfrmm95BzpeXNkChjwulxaBbzQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=qBMRhw1bZs+OgqpuwuCvxfWv22kMUzy5pF33dZtU6CUO9/Sr5hOVu1Nwk26y1CsmzTnqKu2BQSTw3VtINQSc4I+G5KKIViO0qpnnHBF5G1rNApTvk/MMru5o7S2+OkZVE0Px238YXWEi7EAYRln6avFQrEyWb+Y2djSgUpiByFc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=Uj+4EMQC; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=UVFrkp3KWVL8St0NWZsXNEO+uheU9fzhkSYFDo3L7Q8=; b=Uj+4EMQC3gFIc307KfEptJKjcB O0heG+bh0ZNgTh8c5XxnFbHxnIEk6kpILy6PcD4PgBkWVuGzMRZ51TU2EdPKiuFUNZ9YM4aSDE56O oVV0VqEErf9zEBG5+kKvNKZOSAUiHNjHD0nP+I6W7olOeJ0EQxFNPuq5QZoXkFt4aPn1HBu+T9poM vLdOozIRpedSEr18QFR7GA3dE/dx+jg6hnBt2AEGpspVvW1shdSQIa/fShup51piulQdpjhlxIslA /Ru24GeUoiw0E6tMThAwt4Ap4dX2WixRGBQdyGdRK5T1fJKTBkZ4p/gRlxYC2pphTIcx8swfXrI6B VsOVT2UA==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97.1) (envelope-from ) id 1soipg-000000004Dp-0hUU; Thu, 12 Sep 2024 14:21:56 +0200 From: Phil Sutter To: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org, Florian Westphal , Eric Garver Subject: [nf-next PATCH v3 03/16] netfilter: nf_tables: Store user-defined hook ifname Date: Thu, 12 Sep 2024 14:21:35 +0200 Message-ID: <20240912122148.12159-4-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240912122148.12159-1-phil@nwl.cc> References: <20240912122148.12159-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Prepare for hooks with NULL ops.dev pointer (due to non-existent device) and store the interface name and length as specified by the user upon creation. No functional change intended. Signed-off-by: Phil Sutter --- include/net/netfilter/nf_tables.h | 2 ++ net/netfilter/nf_tables_api.c | 6 +++--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h index c302b396e1a7..efd6b55b4914 100644 --- a/include/net/netfilter/nf_tables.h +++ b/include/net/netfilter/nf_tables.h @@ -1191,6 +1191,8 @@ struct nft_hook { struct list_head list; struct nf_hook_ops ops; struct rcu_head rcu; + char ifname[IFNAMSIZ]; + u8 ifnamelen; }; /** diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 3ffb728309af..f1710aab5188 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -2173,7 +2173,6 @@ static struct nft_hook *nft_netdev_hook_alloc(struct net *net, const struct nlattr *attr) { struct net_device *dev; - char ifname[IFNAMSIZ]; struct nft_hook *hook; int err; @@ -2183,12 +2182,13 @@ static struct nft_hook *nft_netdev_hook_alloc(struct net *net, goto err_hook_alloc; } - nla_strscpy(ifname, attr, IFNAMSIZ); + nla_strscpy(hook->ifname, attr, IFNAMSIZ); + hook->ifnamelen = nla_len(attr); /* nf_tables_netdev_event() is called under rtnl_mutex, this is * indirectly serializing all the other holders of the commit_mutex with * the rtnl_mutex. */ - dev = __dev_get_by_name(net, ifname); + dev = __dev_get_by_name(net, hook->ifname); if (!dev) { err = -ENOENT; goto err_hook_dev; From patchwork Thu Sep 12 12:21:36 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1984654 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=B1bjXV8K; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=147.75.80.249; helo=am.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-3827-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from am.mirrors.kernel.org (am.mirrors.kernel.org [147.75.80.249]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4X4Gls6zH0z1y28 for ; Thu, 12 Sep 2024 22:22:17 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id A47141F22677 for ; Thu, 12 Sep 2024 12:22:15 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 369161A265C; Thu, 12 Sep 2024 12:22:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="B1bjXV8K" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0928A1A2C10 for ; Thu, 12 Sep 2024 12:22:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1726143725; cv=none; b=FMVp+42aNi8+IKmCgJGi8j0U+iyk26HWOAYGzIOGjEoVfxIBdp/gDnYEMR3hOrbgd8ZM/epRK4drjLiO15b1qwWtRzs0IJs2bfblvlXW2jCEYuXPeB6QdZEvlVoTxioichXE2xK4reQnibM3RByc6OOVxNs+hmsGS04L8E/Owto= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1726143725; c=relaxed/simple; bh=lcI6dI15XbivG9aNu+aNjF9Y02PYd9Rxrz7efPI8SmI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=HAVCakgIyv0CbHPb7GXGGL/GQEjFCyWSIJLaen1URTs9W8cw+gU4pUCi6JuWphnIkF/TgmSQAt2SPzwleCnXyqgIU84Vds1UMXggFqc1BvXGb/OGr6F5umTCany7n+qO7Ro/XGEs3A3xoCGVmz5zzjAshgaKOzaVOelPmXE9x6A= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=B1bjXV8K; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=DcVUZgY5BJoC650aBVKLDBCvFccHB9KT65CVnLGbu8k=; b=B1bjXV8K/tvz960rD2vlhLQvbs ZHRrUHml35LmYQO/wLvimBPNvhhj1Z05ERsDhCU/ZxTKW8AMYf5Gps094QJRsWf+xYoeR0u57qHVz uAr1rUcI6hO/1ck7zoZCMwkNXj8z1PWSsOYCBkK+ArlARtHiB/aer7zJ7Qb9Kc6zlT2J3tUqvQpGF u/L1Ldj2iQDa11B/4mHY1WFh675Y5L2wyl7JTK2ZOPwHM/Ba9PfEz4ss/4VZUbWolrKbFbd8nRh/S mFjzRmBrSAHexbHUUesC03xlhtrnJqmcFGPX9sfA+3xhf9rAfTpZ4pm/2477w2dJvIzSyoKOWupjR ccqRMltQ==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97.1) (envelope-from ) id 1soipm-000000004F3-1Yj8; Thu, 12 Sep 2024 14:22:02 +0200 From: Phil Sutter To: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org, Florian Westphal , Eric Garver Subject: [nf-next PATCH v3 04/16] netfilter: nf_tables: Use stored ifname in netdev hook dumps Date: Thu, 12 Sep 2024 14:21:36 +0200 Message-ID: <20240912122148.12159-5-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240912122148.12159-1-phil@nwl.cc> References: <20240912122148.12159-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 The stored ifname and ops.dev->name may deviate after creation due to interface name changes. Prefer the more deterministic stored name in dumps which also helps avoiding inadvertent changes to stored ruleset dumps. Signed-off-by: Phil Sutter --- net/netfilter/nf_tables_api.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index f1710aab5188..4fb230e4afe3 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -1853,15 +1853,16 @@ static int nft_dump_basechain_hook(struct sk_buff *skb, int family, if (!first) first = hook; - if (nla_put_string(skb, NFTA_DEVICE_NAME, - hook->ops.dev->name)) + if (nla_put(skb, NFTA_DEVICE_NAME, + hook->ifnamelen, hook->ifname)) goto nla_put_failure; n++; } nla_nest_end(skb, nest_devs); if (n == 1 && - nla_put_string(skb, NFTA_HOOK_DEV, first->ops.dev->name)) + nla_put(skb, NFTA_HOOK_DEV, + first->ifnamelen, first->ifname)) goto nla_put_failure; } nla_nest_end(skb, nest); @@ -8968,7 +8969,8 @@ static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net, hook_list = &flowtable->hook_list; list_for_each_entry_rcu(hook, hook_list, list) { - if (nla_put_string(skb, NFTA_DEVICE_NAME, hook->ops.dev->name)) + if (nla_put(skb, NFTA_DEVICE_NAME, + hook->ifnamelen, hook->ifname)) goto nla_put_failure; } nla_nest_end(skb, nest_devs); From patchwork Thu Sep 12 12:21:37 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1984662 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=acj2FVFe; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:45e3:2400::1; helo=sv.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-3833-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org [IPv6:2604:1380:45e3:2400::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4X4HHx38csz1y1C for ; Thu, 12 Sep 2024 22:46:37 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 23D8A285EDB for ; Thu, 12 Sep 2024 12:46:36 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 6D0271AD25C; Thu, 12 Sep 2024 12:45:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="acj2FVFe" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B285D1AD25A for ; Thu, 12 Sep 2024 12:45:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1726145125; cv=none; b=IMFNqaNHkDk5XkDTGBt8c3QTCU9BgXXM7bQbMC3CAWneq+H5QbPVbJ19jVj/KpmNlrNlGYl9w0Wf82O84+IZzFygqtoIpiBKJfjz8l6Vk27tvEKqK+En2EWQAHrNVlm2uGa6+7dtQv0CmVV0f2aPwWe2NejCJz4GV08TNMP2fCg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1726145125; c=relaxed/simple; bh=0puWWswfQyBnVAslnGRxLC5fjU/ezCWSwUx4qopOd5Q=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=RKA2QshqpxTs7kAqSQ2nyvN9E86/NsgpnBYB95JksrfXmphW1ccze11tIHTny7fyzkXIREvruZwE3Q0l9jqfulBWqpx6QAdF/SnpeoxAgykrh4IG6MoMmeDCd24BnBI3sEhtSirnxbsr4gdUUQHM5kf9HOrrZWnKVerN1JPA5qc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=acj2FVFe; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=o0vTq19QD4O8qYBAc3dTrNX6SCLLRDQjiWJSeIjjWO8=; b=acj2FVFeQuOJot0Z4mITEpAml4 VXcGLSfTQldVzvodrkfA7bIbpXe3TK9KiHj6vUuTFkxSrm2F5ofGLTg+K4b1jr9OKQKVZm/Zgx2gN IH1ZTs+O36eLZQ0bvc2fyMLaEOd5NE+zYQuuDsPdjHaxtdf62dTJA2piJ3gx6ooUTwNSi+ftNDHSk VdVujtD5hqbqLo3trpX8K8TrWwm0AvgohLYtZZfw5yNK6/iiKA9NTUjdkuVbRHVMGJKd24ROR+WO0 Ukig6DTFAHjbOl/Dt2cPpBdjib8k63YF4Kb/QexswIzW/Oale60G60G52YKIJMiyguzS5tW3eR5lp 4D9/5L2Q==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97.1) (envelope-from ) id 1soipe-000000004DT-22T0; Thu, 12 Sep 2024 14:21:54 +0200 From: Phil Sutter To: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org, Florian Westphal , Eric Garver Subject: [nf-next PATCH v3 05/16] netfilter: nf_tables: Compare netdev hooks based on stored name Date: Thu, 12 Sep 2024 14:21:37 +0200 Message-ID: <20240912122148.12159-6-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240912122148.12159-1-phil@nwl.cc> References: <20240912122148.12159-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 The 1:1 relationship between nft_hook and nf_hook_ops is about to break, so choose the stored ifname to uniquely identify hooks. Signed-off-by: Phil Sutter --- net/netfilter/nf_tables_api.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 4fb230e4afe3..457696f55003 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -2210,7 +2210,7 @@ static struct nft_hook *nft_hook_list_find(struct list_head *hook_list, struct nft_hook *hook; list_for_each_entry(hook, hook_list, list) { - if (this->ops.dev == hook->ops.dev) + if (!strcmp(hook->ifname, this->ifname)) return hook; } From patchwork Thu Sep 12 12:21:38 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1984661 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=F1aZm3q8; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=147.75.80.249; helo=am.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-3832-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from am.mirrors.kernel.org (am.mirrors.kernel.org [147.75.80.249]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4X4HHs3Qbhz1y1C for ; Thu, 12 Sep 2024 22:46:33 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 344B61F247CA for ; Thu, 12 Sep 2024 12:46:31 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 5C63B1AD252; Thu, 12 Sep 2024 12:45:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="F1aZm3q8" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 848871ACDE8 for ; Thu, 12 Sep 2024 12:45:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1726145121; cv=none; b=uYzV4o2xvxwgvljrCwCOSKxuSU1Ly2R3Zk4JuYPNqw492/Me+79r7uQ5MgLAGGHnER7D07M+EhLFI56ZcXSHmu6OLjeXxKchd0f/AagIRyg/d924H1lvjBTsVsEUO68XSfTIy0zIdWDmOF9oIeV2XGOLCYYE87V2XVjHzWHYhB8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1726145121; c=relaxed/simple; bh=G8DD1RodIas8kAhrEk2I3/bPPE5R0aDSPqpXNOtM6VI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=nHvAdX6KnJrc4b7T1RtlUE4Mm7+TaWNEvZmF3Wegv3biEepRYNBVe5bZzQIHlr9knTp84S5ZzjwfRutZMtMixR1F0s8lRt/FhSjOannJe8AQZgaXfLhZNvSnws6cyl0fEQOdznzUwqczhZ2W3mJoi4dGwzhtEH2Odg5GMI0Kflw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=F1aZm3q8; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Yx18rzpzGl7+KBfQrqtuBo19WGDZGJBYYUBVzIw0dFQ=; b=F1aZm3q8L6zbeBS0HD+YrVw+Ph hKwgKybKwysmghbIKI1qD0RisAhfzAgOOZOqJAHvoI3eNxB9ZRjwi+l5ZmZiT3z8zbbTqKYIEtRZQ kqZRRbzTFNaZSbP3hATw6VnpQ4FfAwD3w5ecQc/3mFHMvOCVwfXSfvgeM9g2m8zyHgOKLxMTXuRtd 9vvQTZSPiwq4Zs5AQcbNmxUu94gd+d8DnM+yoHwMdBZ8BYE9Yj8RYokIbrhmwg3AwJSXAI+0mX/AV J9uKNsck7nJ89nmoAdr6oHbRJZhtyas6heckLTGY3Qj9HHs/Alk9YcxfCoMMAaIvJGpUt3FFyEV4j DqeUxe1w==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97.1) (envelope-from ) id 1soipg-000000004Dw-2pr3; Thu, 12 Sep 2024 14:21:56 +0200 From: Phil Sutter To: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org, Florian Westphal , Eric Garver Subject: [nf-next PATCH v3 06/16] netfilter: nf_tables: Tolerate chains with no remaining hooks Date: Thu, 12 Sep 2024 14:21:38 +0200 Message-ID: <20240912122148.12159-7-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240912122148.12159-1-phil@nwl.cc> References: <20240912122148.12159-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Do not drop a netdev-family chain if the last interface it is registered for vanishes. Users dumping and storing the ruleset upon shutdown for restore upon next boot may otherwise lose the chain and all contained rules. They will still lose the list of devices, a later patch will fix that. For now, this aligns the event handler's behaviour with that for flowtables. The controversal situation at netns exit should be no problem here: event handler will unregister the hooks, core nftables cleanup code will drop the chain itself. Signed-off-by: Phil Sutter --- include/net/netfilter/nf_tables.h | 2 -- net/netfilter/nf_tables_api.c | 21 --------------------- net/netfilter/nft_chain_filter.c | 29 +++++++---------------------- 3 files changed, 7 insertions(+), 45 deletions(-) diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h index efd6b55b4914..16daffcee0e1 100644 --- a/include/net/netfilter/nf_tables.h +++ b/include/net/netfilter/nf_tables.h @@ -1228,8 +1228,6 @@ static inline bool nft_is_base_chain(const struct nft_chain *chain) return chain->flags & NFT_CHAIN_BASE; } -int __nft_release_basechain(struct nft_ctx *ctx); - unsigned int nft_do_chain(struct nft_pktinfo *pkt, void *priv); static inline bool nft_use_inc(u32 *use) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 457696f55003..46d4e9056bf1 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -11386,27 +11386,6 @@ int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data, } EXPORT_SYMBOL_GPL(nft_data_dump); -int __nft_release_basechain(struct nft_ctx *ctx) -{ - struct nft_rule *rule, *nr; - - if (WARN_ON(!nft_is_base_chain(ctx->chain))) - return 0; - - nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain); - list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) { - list_del(&rule->list); - nft_use_dec(&ctx->chain->use); - nf_tables_rule_release(ctx, rule); - } - nft_chain_del(ctx->chain); - nft_use_dec(&ctx->table->use); - nf_tables_chain_destroy(ctx->chain); - - return 0; -} -EXPORT_SYMBOL_GPL(__nft_release_basechain); - static void __nft_release_hook(struct net *net, struct nft_table *table) { struct nft_flowtable *flowtable; diff --git a/net/netfilter/nft_chain_filter.c b/net/netfilter/nft_chain_filter.c index 7010541fcca6..543f258b7c6b 100644 --- a/net/netfilter/nft_chain_filter.c +++ b/net/netfilter/nft_chain_filter.c @@ -322,34 +322,19 @@ static void nft_netdev_event(unsigned long event, struct net_device *dev, struct nft_ctx *ctx) { struct nft_base_chain *basechain = nft_base_chain(ctx->chain); - struct nft_hook *hook, *found = NULL; - int n = 0; + struct nft_hook *hook; list_for_each_entry(hook, &basechain->hook_list, list) { - if (hook->ops.dev == dev) - found = hook; - - n++; - } - if (!found) - return; + if (hook->ops.dev != dev) + continue; - if (n > 1) { if (!(ctx->chain->table->flags & NFT_TABLE_F_DORMANT)) - nf_unregister_net_hook(ctx->net, &found->ops); + nf_unregister_net_hook(ctx->net, &hook->ops); - list_del_rcu(&found->list); - kfree_rcu(found, rcu); - return; + list_del_rcu(&hook->list); + kfree_rcu(hook, rcu); + break; } - - /* UNREGISTER events are also happening on netns exit. - * - * Although nf_tables core releases all tables/chains, only this event - * handler provides guarantee that hook->ops.dev is still accessible, - * so we cannot skip exiting net namespaces. - */ - __nft_release_basechain(ctx); } static int nf_tables_netdev_event(struct notifier_block *this, From patchwork Thu Sep 12 12:21:39 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1984658 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=cOU+N0cS; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=147.75.80.249; helo=am.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-3829-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from am.mirrors.kernel.org (am.mirrors.kernel.org [147.75.80.249]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4X4HGr1D44z1y1C for ; Thu, 12 Sep 2024 22:45:40 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id C28161F246B1 for ; Thu, 12 Sep 2024 12:45:37 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id EFB561AB6E4; Thu, 12 Sep 2024 12:45:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="cOU+N0cS" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4EC481A4E86 for ; Thu, 12 Sep 2024 12:45:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1726145111; cv=none; b=fmWQxuZ0acwB+nWL9oSx74QUBuxWAKgpo96sTiiFw+stHGWjgaqWVCX0EMbPFCCmgNKAnDZBOC7JvyHfn/R9a+K7pEa1fUmV0F/HWbczhtyrKQHna2WbqBG11Ai6ateMS6eOM8jjicUJov2w5wLHodIcewAJqSZr7YeloVwu9Iw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1726145111; c=relaxed/simple; bh=AOJzP7L9CVFLLH6enQeKfHGrjIcAwPvZfVhdtt++umE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=FjVUdTQ/yOpCRPY5W7mAimDI48uurna9n0BpkA2QNIEgXbXN+2hWDBoc+1XhX8NVM8P9Gg9aQtmIjiWsCUSCziXjFmojG8IYQ3BnzkgE/V2DGYix5REv7/qt6ry+JRDtj8+7Rqkzuw7LqD45T+eLxqLIADXvj2eCo2Q+/28/ib4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=cOU+N0cS; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=BXvDvxGBaGUh8J3gzHo7AhJpYAexo6b3uK4i8Ag1KoE=; b=cOU+N0cSYPUhOtxUNBwKvjUOoB VlWtr66OaBOTO3sjn8+mCbQrA+SZnW5mIAkM69TTrXi+v7NzfR+VrBdW4wQ62BXJrlj8DSuejHDMI Axr9cEdhSmxheO+EkBxFKiZWZBb5mqdywgV3BGFqFM/yaXznjTMXNdYuNkMoCRG1lfIjDXFrpCVRL 8Cyq8sbtIM4eDMK6AJ/ExmENKNIoe94PWh4zSeZZoRg2QD3t7TT+ycMXjrc5zPPgj3En1VRcDNway QBXM8UVCwYevzzML5z0DZPfcCIg9kHyN7MMXCvJUUd0lpce2Z8GHfAsleAdkU1PyzR8dnfPSbf2JY amOd3mng==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97.1) (envelope-from ) id 1soipj-000000004ER-2Fu7; Thu, 12 Sep 2024 14:21:59 +0200 From: Phil Sutter To: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org, Florian Westphal , Eric Garver Subject: [nf-next PATCH v3 07/16] netfilter: nf_tables: Introduce functions freeing nft_hook objects Date: Thu, 12 Sep 2024 14:21:39 +0200 Message-ID: <20240912122148.12159-8-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240912122148.12159-1-phil@nwl.cc> References: <20240912122148.12159-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Pointless wrappers around kfree() for now, prep work for an embedded list of nf_hook_ops. Signed-off-by: Phil Sutter --- net/netfilter/nf_tables_api.c | 34 ++++++++++++++++++++++------------ 1 file changed, 22 insertions(+), 12 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 46d4e9056bf1..dedf50ba266c 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -2134,6 +2134,16 @@ static void nf_tables_chain_free_chain_rules(struct nft_chain *chain) kvfree(chain->blob_next); } +static void nft_netdev_hook_free(struct nft_hook *hook) +{ + kfree(hook); +} + +static void nft_netdev_hook_free_rcu(struct nft_hook *hook) +{ + kfree_rcu(hook, rcu); +} + void nf_tables_chain_destroy(struct nft_chain *chain) { const struct nft_table *table = chain->table; @@ -2152,7 +2162,7 @@ void nf_tables_chain_destroy(struct nft_chain *chain) list_for_each_entry_safe(hook, next, &basechain->hook_list, list) { list_del_rcu(&hook->list); - kfree_rcu(hook, rcu); + nft_netdev_hook_free_rcu(hook); } } module_put(basechain->type->owner); @@ -2240,7 +2250,7 @@ static int nf_tables_parse_netdev_hooks(struct net *net, } if (nft_hook_list_find(hook_list, hook)) { NL_SET_BAD_ATTR(extack, tmp); - kfree(hook); + nft_netdev_hook_free(hook); err = -EEXIST; goto err_hook; } @@ -2258,7 +2268,7 @@ static int nf_tables_parse_netdev_hooks(struct net *net, err_hook: list_for_each_entry_safe(hook, next, hook_list, list) { list_del(&hook->list); - kfree(hook); + nft_netdev_hook_free(hook); } return err; } @@ -2401,7 +2411,7 @@ static void nft_chain_release_hook(struct nft_chain_hook *hook) list_for_each_entry_safe(h, next, &hook->list, list) { list_del(&h->list); - kfree(h); + nft_netdev_hook_free(h); } module_put(hook->type->owner); } @@ -2691,7 +2701,7 @@ static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy, if (nft_hook_list_find(&basechain->hook_list, h)) { list_del(&h->list); - kfree(h); + nft_netdev_hook_free(h); } } } else { @@ -2812,7 +2822,7 @@ static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy, if (unregister) nf_unregister_net_hook(ctx->net, &h->ops); list_del(&h->list); - kfree_rcu(h, rcu); + nft_netdev_hook_free_rcu(h); } module_put(hook.type->owner); } @@ -8586,7 +8596,7 @@ static int nft_register_flowtable_net_hooks(struct net *net, nft_unregister_flowtable_hook(net, flowtable, hook); list_del_rcu(&hook->list); - kfree_rcu(hook, rcu); + nft_netdev_hook_free_rcu(hook); } return err; @@ -8598,7 +8608,7 @@ static void nft_hooks_destroy(struct list_head *hook_list) list_for_each_entry_safe(hook, next, hook_list, list) { list_del_rcu(&hook->list); - kfree_rcu(hook, rcu); + nft_netdev_hook_free_rcu(hook); } } @@ -8622,7 +8632,7 @@ static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh, list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) { if (nft_hook_list_find(&flowtable->hook_list, hook)) { list_del(&hook->list); - kfree(hook); + nft_netdev_hook_free(hook); } } @@ -8669,7 +8679,7 @@ static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh, if (unregister) nft_unregister_flowtable_hook(ctx->net, flowtable, hook); list_del_rcu(&hook->list); - kfree_rcu(hook, rcu); + nft_netdev_hook_free_rcu(hook); } return err; @@ -8815,7 +8825,7 @@ static void nft_flowtable_hook_release(struct nft_flowtable_hook *flowtable_hook list_for_each_entry_safe(this, next, &flowtable_hook->list, list) { list_del(&this->list); - kfree(this); + nft_netdev_hook_free(this); } } @@ -9179,7 +9189,7 @@ static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable) flowtable->data.type->setup(&flowtable->data, hook->ops.dev, FLOW_BLOCK_UNBIND); list_del_rcu(&hook->list); - kfree_rcu(hook, rcu); + nft_netdev_hook_free_rcu(hook); } kfree(flowtable->name); module_put(flowtable->data.type->owner); From patchwork Thu Sep 12 12:21:40 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1984665 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=Ij5WzHeD; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:4601:e00::3; helo=am.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-3836-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from am.mirrors.kernel.org (am.mirrors.kernel.org [IPv6:2604:1380:4601:e00::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4X4HJ54tLGz1y1C for ; Thu, 12 Sep 2024 22:46:45 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 90A121F247E6 for ; Thu, 12 Sep 2024 12:46:43 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id C61CB1AAE07; Thu, 12 Sep 2024 12:45:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="Ij5WzHeD" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EB2341A7243 for ; Thu, 12 Sep 2024 12:45:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1726145138; cv=none; b=mJIDPqFsywfQskL0CNqGBMPJGw7DWkCuILt8PLen2Cp9MW58vcWAn6os/blQrf1M09ym2r7dBtNnmzijffm/E1C/UzgExBXo3DC1QxdSbUR3ZxcQmqsi3DQkJIezLZKp1XCIwYal0sY17e94MHGK80y/zea4bBHUIHUhFIHY7xI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1726145138; c=relaxed/simple; bh=uBjaTGXKBF0dqV/aHXbHXAHxXYfez9uV9jb1Byfnfnw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=bdHuyrr35oJGcGNV7MUP5dAecNhmQtCNQ58UmeLtUkKwn/lgGJ3eJbl+X6oMMS7/nOvxAhMPeHZnvNjPeVc1Rs7tOoJaltG03mYrwyEEZiq5oNyfjS+VICvhgE6WSBhbDyVgC+Hu5slylJtZMYl/RPzH8XMDR6kdqburG6vU0yA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=Ij5WzHeD; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=JBNJc9GmTCARUH2Aihiu2sEWfiFDHek3asVtLuVdyq4=; b=Ij5WzHeDvoXbiyCJIJIVzRgv0b tlBA30N6/f5f2uGEVQQAHEwsnOy3pl0MHhxta4yjpzmnvCOguM6DoQwp8+vfdnlTkkFcdi3GwZsEm r4JqEFHhreIkE1E1ojN+ZquYif8l+hmtiW+UDrMSNgA0F4H8SdyYMlsMHjEqZk039hAMZB0WcI+4y N3JK4I0zN1HHMMGi+4sX7BgTxpZuiuG+PvkqJPBju99nzWVq/7QX7XkdyzvlgasssWwMeg2m24Eez FgWT+jAd19ubcKpgoYFB3Tuzk05I0Fwsv5+WxopXfzMECHnWkoyzrAdhaHbRrXvKa3xlAx2QzE9AD n6Whxggg==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97.1) (envelope-from ) id 1soipd-000000004DB-1dNB; Thu, 12 Sep 2024 14:21:53 +0200 From: Phil Sutter To: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org, Florian Westphal , Eric Garver Subject: [nf-next PATCH v3 08/16] netfilter: nf_tables: Introduce nft_hook_find_ops() Date: Thu, 12 Sep 2024 14:21:40 +0200 Message-ID: <20240912122148.12159-9-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240912122148.12159-1-phil@nwl.cc> References: <20240912122148.12159-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Also a pretty dull wrapper around the hook->ops.dev comparison for now. Will search the embedded nf_hook_ops list in future. The ugly cast to eliminate the const qualifier will vanish then, too. Signed-off-by: Phil Sutter --- include/net/netfilter/nf_tables.h | 3 +++ net/netfilter/nf_tables_api.c | 14 +++++++++++++- net/netfilter/nf_tables_offload.c | 2 +- net/netfilter/nft_chain_filter.c | 6 ++++-- net/netfilter/nft_flow_offload.c | 2 +- 5 files changed, 22 insertions(+), 5 deletions(-) diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h index 16daffcee0e1..be11518646a3 100644 --- a/include/net/netfilter/nf_tables.h +++ b/include/net/netfilter/nf_tables.h @@ -1195,6 +1195,9 @@ struct nft_hook { u8 ifnamelen; }; +struct nf_hook_ops *nft_hook_find_ops(const struct nft_hook *hook, + const struct net_device *dev); + /** * struct nft_base_chain - nf_tables base chain * diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index dedf50ba266c..65db4c54cfae 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -9222,13 +9222,25 @@ static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net, return -EMSGSIZE; } +struct nf_hook_ops *nft_hook_find_ops(const struct nft_hook *hook, + const struct net_device *dev) +{ + if (hook->ops.dev == dev) + return (struct nf_hook_ops *)&hook->ops; + + return NULL; +} +EXPORT_SYMBOL_GPL(nft_hook_find_ops); + static void nft_flowtable_event(unsigned long event, struct net_device *dev, struct nft_flowtable *flowtable) { + struct nf_hook_ops *ops; struct nft_hook *hook; list_for_each_entry(hook, &flowtable->hook_list, list) { - if (hook->ops.dev != dev) + ops = nft_hook_find_ops(hook, dev); + if (!ops) continue; /* flow_offload_netdev_event() cleans up entries for us. */ diff --git a/net/netfilter/nf_tables_offload.c b/net/netfilter/nf_tables_offload.c index 64675f1c7f29..75b756f0b9f0 100644 --- a/net/netfilter/nf_tables_offload.c +++ b/net/netfilter/nf_tables_offload.c @@ -638,7 +638,7 @@ static struct nft_chain *__nft_offload_get_chain(const struct nftables_pernet *n found = NULL; basechain = nft_base_chain(chain); list_for_each_entry(hook, &basechain->hook_list, list) { - if (hook->ops.dev != dev) + if (!nft_hook_find_ops(hook, dev)) continue; found = hook; diff --git a/net/netfilter/nft_chain_filter.c b/net/netfilter/nft_chain_filter.c index 543f258b7c6b..d34c6fe7ba72 100644 --- a/net/netfilter/nft_chain_filter.c +++ b/net/netfilter/nft_chain_filter.c @@ -322,14 +322,16 @@ static void nft_netdev_event(unsigned long event, struct net_device *dev, struct nft_ctx *ctx) { struct nft_base_chain *basechain = nft_base_chain(ctx->chain); + struct nf_hook_ops *ops; struct nft_hook *hook; list_for_each_entry(hook, &basechain->hook_list, list) { - if (hook->ops.dev != dev) + ops = nft_hook_find_ops(hook, dev); + if (!ops) continue; if (!(ctx->chain->table->flags & NFT_TABLE_F_DORMANT)) - nf_unregister_net_hook(ctx->net, &hook->ops); + nf_unregister_net_hook(ctx->net, ops); list_del_rcu(&hook->list); kfree_rcu(hook, rcu); diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c index 9dcd1548df9d..646192321265 100644 --- a/net/netfilter/nft_flow_offload.c +++ b/net/netfilter/nft_flow_offload.c @@ -174,7 +174,7 @@ static bool nft_flowtable_find_dev(const struct net_device *dev, bool found = false; list_for_each_entry_rcu(hook, &ft->hook_list, list) { - if (hook->ops.dev != dev) + if (!nft_hook_find_ops(hook, dev)) continue; found = true; From patchwork Thu Sep 12 12:21:41 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1984656 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=R3Vq1yIz; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=147.75.199.223; helo=ny.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-3828-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org [147.75.199.223]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4X4HGP0jHFz1y1C for ; Thu, 12 Sep 2024 22:45:17 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 1E48D1C235BF for ; Thu, 12 Sep 2024 12:45:15 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id E25041A725C; Thu, 12 Sep 2024 12:45:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="R3Vq1yIz" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F08F91A4E82 for ; Thu, 12 Sep 2024 12:45:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1726145107; cv=none; b=TWaeuGhuGJ6w4Oz9PZPsmsALheHUH2K9LF7um8YTWyGaWKKe1CjPX0EjOaa7zpzJoO2rbZVGumvzV606xLA4pPpYGZshgJKLNLFB+lp2VnoYAdZ7i89OYg3S9662Mnz6eNJVV43hRWnfKADdn+ETP3HQgLvZ4RBjfFfKlF9ClEk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1726145107; c=relaxed/simple; bh=hhs3AB7xr8GEOvvGtNfVShR54TM8BhU06E72WFmePXY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=uCO3z7l/XoXV98fXmXA8rK7ksP3xx7L/IsUHslD8WLqhyW4ru5PCWEAVjTITPdTWsu+VhwV6eOJXRAIRtzFPlPAyziKp7mfeBZjh8v0S+xCr8Z9wWnHlydUoMaL6C2L9QnCaVC0Fwm32wW4HOiDdFa6Yz4/wzBDKHcJqdjHuXOY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=R3Vq1yIz; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=GpldQ7V92cEGbZprVddzneLP7c70VnhTrE/ruGY3pKM=; b=R3Vq1yIzgsLaq0uB2Oy1srMekl PnGDOUaS9sw1d1L9CPQx+xPaWtJKMG2stF3hYpxUmiaNWB6dcE9O8Lz4vKqjvxRzda3WIMMdL6wqw CY46hOw/0yJvUBuZ0MAb85TP6H343HMTzIPw3xAD+OJffOgaqeXvySdNXn5XUIwxhz7KjV7srO7A2 YV+Bmu6g9C0T69U8uCk7s5puSUV403LiteGByOAdHLAg8yuWRLfGn+8UctjbdTtiEaOOdAWvLrwNu xH1q0m7QYj4pNKLnHvIcl1cqrfpvFrGBYILXVPzk1iyFi/QNkUWY2KQs4aLgjl0Ou7FWtIQVXy0mc RHtvGnDg==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97.1) (envelope-from ) id 1soipc-000000004D7-3Z3A; Thu, 12 Sep 2024 14:21:52 +0200 From: Phil Sutter To: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org, Florian Westphal , Eric Garver Subject: [nf-next PATCH v3 09/16] netfilter: nf_tables: Introduce nft_register_flowtable_ops() Date: Thu, 12 Sep 2024 14:21:41 +0200 Message-ID: <20240912122148.12159-10-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240912122148.12159-1-phil@nwl.cc> References: <20240912122148.12159-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Facilitate binding and registering of a flowtable hook via a single function call. Signed-off-by: Phil Sutter --- net/netfilter/nf_tables_api.c | 32 +++++++++++++++++++++----------- 1 file changed, 21 insertions(+), 11 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 65db4c54cfae..dc30d2be09fb 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -8550,6 +8550,26 @@ static void nft_unregister_flowtable_net_hooks(struct net *net, __nft_unregister_flowtable_net_hooks(net, hook_list, false); } +static int nft_register_flowtable_ops(struct net *net, + struct nft_flowtable *flowtable, + struct nf_hook_ops *ops) +{ + int err; + + err = flowtable->data.type->setup(&flowtable->data, + ops->dev, FLOW_BLOCK_BIND); + if (err < 0) + return err; + + err = nf_register_net_hook(net, ops); + if (!err) + return 0; + + flowtable->data.type->setup(&flowtable->data, + ops->dev, FLOW_BLOCK_UNBIND); + return err; +} + static int nft_register_flowtable_net_hooks(struct net *net, struct nft_table *table, struct list_head *hook_list, @@ -8570,20 +8590,10 @@ static int nft_register_flowtable_net_hooks(struct net *net, } } - err = flowtable->data.type->setup(&flowtable->data, - hook->ops.dev, - FLOW_BLOCK_BIND); + err = nft_register_flowtable_ops(net, flowtable, &hook->ops); if (err < 0) goto err_unregister_net_hooks; - err = nf_register_net_hook(net, &hook->ops); - if (err < 0) { - flowtable->data.type->setup(&flowtable->data, - hook->ops.dev, - FLOW_BLOCK_UNBIND); - goto err_unregister_net_hooks; - } - i++; } From patchwork Thu Sep 12 12:21:42 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1984664 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=adXM3cYV; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:40f1:3f00::1; helo=sy.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-3835-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org [IPv6:2604:1380:40f1:3f00::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4X4HJ20FvNz1y1C for ; Thu, 12 Sep 2024 22:46:42 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 94D1DB240C1 for ; Thu, 12 Sep 2024 12:46:41 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 856451A7ADD; Thu, 12 Sep 2024 12:45:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="adXM3cYV" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E64C01A7AE3 for ; Thu, 12 Sep 2024 12:45:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1726145135; cv=none; b=bIsctk+n7ngdNnexFumGKbdo+15YI7EJLsAzoDDIij7VC02OVNqpgRAJX5t+tHW+3WO+hr6ZYWkkO5qRfILNEcPBuU9CkYGGcsv+VUiUeuqM26H3lLGZi4ivA3/lwfgEo0puv0kiS9YcW1xXbi7rRQEDsXSKI1Rpg2Hi/CuDRmw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1726145135; c=relaxed/simple; bh=DUOk1RWCR1dM92dz6T5vUR/t+lW97k4nBcr7DxMhnoc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Y3+HJEF8jHn3ZTnesMXU1/4Le5ETzodS20fCiCD8GGukcNjmurwswhVrw7dzs9i3VTAdHG4wracjjn/u2Lid2y8bZsf54nkenA7jW+PPlJlxsRu44ICgzlskQmpe6OM7i6DBPZZ3GNbU11U3KUETbGxvZLt1/3MCzwGwpJ+CMoE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=adXM3cYV; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=GpZhkHi6N5ILAMWiryIrKB5X9ZeL8cHnH5ws61DKj+I=; b=adXM3cYVNU+1oKE5HpPH2zhHuN TANiXwsfdevCUM3a87j8ZRDbW1OWqmwnuuNL/J28AnvIm43YOzJWmD2uCRuDEaOldQmvKW/dOyumW G3ve103ao+DD/ygnM3/j8YQN4wzgqOWt6Mhw1IpeFxnuxudM7RSLMlup3jIi1OyREYqNEaG7mVbbh 5oDYCmlUw+YDfnLHEcf5uCISp/5aSwfZQxH+A5HJl+ntQeT8TjtgDobgK8fXnCIa3mvXg7quz73Wv Wp67jB4FEXHibEQ6mHl7I+FBR7oTQvBHJhhI8AL6OlygDvfEvxw+0vqSALBUN2YZRgWvEn7294mEX m51x9yMg==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97.1) (envelope-from ) id 1soipf-000000004Di-2YbK; Thu, 12 Sep 2024 14:21:55 +0200 From: Phil Sutter To: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org, Florian Westphal , Eric Garver Subject: [nf-next PATCH v3 10/16] netfilter: nf_tables: Have a list of nf_hook_ops in nft_hook Date: Thu, 12 Sep 2024 14:21:42 +0200 Message-ID: <20240912122148.12159-11-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240912122148.12159-1-phil@nwl.cc> References: <20240912122148.12159-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Supporting a 1:n relationship between nft_hook and nf_hook_ops is convenient since a chain's or flowtable's nft_hooks may remain in place despite matching interfaces disappearing. This stabilizes ruleset dumps in that regard and opens the possibility to claim newly added interfaces which match the spec. Also it prepares for wildcard interface specs since these will potentially match multiple interfaces. All spots dealing with hook registration are updated to potentially handle a list of multiple nf_hook_ops, but nft_netdev_hook_alloc() only adds a single item for now to retain the old behaviour. The only expected functional change here is how vanishing interfaces are handled: Instead of dropping the respective nft_hook, only the matching nf_hook_ops are dropped. Signed-off-by: Phil Sutter --- include/linux/netfilter.h | 2 + include/net/netfilter/nf_tables.h | 2 +- net/netfilter/nf_tables_api.c | 155 +++++++++++++++++++++--------- net/netfilter/nf_tables_offload.c | 49 ++++++---- net/netfilter/nft_chain_filter.c | 6 +- 5 files changed, 143 insertions(+), 71 deletions(-) diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h index 2683b2b77612..1318f18784ab 100644 --- a/include/linux/netfilter.h +++ b/include/linux/netfilter.h @@ -95,6 +95,8 @@ enum nf_hook_ops_type { }; struct nf_hook_ops { + struct list_head list; + /* User fills in from here down. */ nf_hookfn *hook; struct net_device *dev; diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h index be11518646a3..991b8d5e52f1 100644 --- a/include/net/netfilter/nf_tables.h +++ b/include/net/netfilter/nf_tables.h @@ -1189,7 +1189,7 @@ struct nft_stats { struct nft_hook { struct list_head list; - struct nf_hook_ops ops; + struct list_head ops_list; struct rcu_head rcu; char ifname[IFNAMSIZ]; u8 ifnamelen; diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index dc30d2be09fb..64f8305189f1 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -299,25 +299,30 @@ void nf_tables_unbind_chain(const struct nft_ctx *ctx, struct nft_chain *chain) static int nft_netdev_register_hooks(struct net *net, struct list_head *hook_list) { + struct nf_hook_ops *ops; struct nft_hook *hook; int err, j; j = 0; list_for_each_entry(hook, hook_list, list) { - err = nf_register_net_hook(net, &hook->ops); - if (err < 0) - goto err_register; + list_for_each_entry(ops, &hook->ops_list, list) { + err = nf_register_net_hook(net, ops); + if (err < 0) + goto err_register; - j++; + j++; + } } return 0; err_register: list_for_each_entry(hook, hook_list, list) { - if (j-- <= 0) - break; + list_for_each_entry(ops, &hook->ops_list, list) { + if (j-- <= 0) + break; - nf_unregister_net_hook(net, &hook->ops); + nf_unregister_net_hook(net, ops); + } } return err; } @@ -326,10 +331,17 @@ static void nft_netdev_unregister_hooks(struct net *net, struct list_head *hook_list, bool release_netdev) { + struct nf_hook_ops *ops, *nextops; struct nft_hook *hook, *next; list_for_each_entry_safe(hook, next, hook_list, list) { - nf_unregister_net_hook(net, &hook->ops); + list_for_each_entry_safe(ops, nextops, &hook->ops_list, list) { + nf_unregister_net_hook(net, ops); + if (release_netdev) { + list_del(&ops->list); + kfree(ops); + } + } if (release_netdev) { list_del(&hook->list); kfree_rcu(hook, rcu); @@ -2134,13 +2146,25 @@ static void nf_tables_chain_free_chain_rules(struct nft_chain *chain) kvfree(chain->blob_next); } +static void nft_netdev_hook_free_ops(struct nft_hook *hook) +{ + struct nf_hook_ops *ops, *next; + + list_for_each_entry_safe(ops, next, &hook->ops_list, list) { + list_del(&ops->list); + kfree(ops); + } +} + static void nft_netdev_hook_free(struct nft_hook *hook) { + nft_netdev_hook_free_ops(hook); kfree(hook); } static void nft_netdev_hook_free_rcu(struct nft_hook *hook) { + nft_netdev_hook_free_ops(hook); kfree_rcu(hook, rcu); } @@ -2183,6 +2207,7 @@ void nf_tables_chain_destroy(struct nft_chain *chain) static struct nft_hook *nft_netdev_hook_alloc(struct net *net, const struct nlattr *attr) { + struct nf_hook_ops *ops; struct net_device *dev; struct nft_hook *hook; int err; @@ -2192,6 +2217,7 @@ static struct nft_hook *nft_netdev_hook_alloc(struct net *net, err = -ENOMEM; goto err_hook_alloc; } + INIT_LIST_HEAD(&hook->ops_list); nla_strscpy(hook->ifname, attr, IFNAMSIZ); hook->ifnamelen = nla_len(attr); @@ -2204,7 +2230,14 @@ static struct nft_hook *nft_netdev_hook_alloc(struct net *net, err = -ENOENT; goto err_hook_dev; } - hook->ops.dev = dev; + + ops = kzalloc(sizeof(struct nf_hook_ops), GFP_KERNEL_ACCOUNT); + if (!ops) { + err = -ENOMEM; + goto err_hook_dev; + } + ops->dev = dev; + list_add_tail(&ops->list, &hook->ops_list); return hook; @@ -2464,6 +2497,7 @@ static int nft_basechain_init(struct nft_base_chain *basechain, u8 family, struct nft_chain_hook *hook, u32 flags) { struct nft_chain *chain; + struct nf_hook_ops *ops; struct nft_hook *h; basechain->type = hook->type; @@ -2472,8 +2506,10 @@ static int nft_basechain_init(struct nft_base_chain *basechain, u8 family, if (nft_base_chain_netdev(family, hook->num)) { list_splice_init(&hook->list, &basechain->hook_list); - list_for_each_entry(h, &basechain->hook_list, list) - nft_basechain_hook_init(&h->ops, family, hook, chain); + list_for_each_entry(h, &basechain->hook_list, list) { + list_for_each_entry(ops, &h->ops_list, list) + nft_basechain_hook_init(ops, family, hook, chain); + } } nft_basechain_hook_init(&basechain->ops, family, hook, chain); @@ -2693,11 +2729,13 @@ static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy, if (nft_base_chain_netdev(ctx->family, basechain->ops.hooknum)) { list_for_each_entry_safe(h, next, &hook.list, list) { - h->ops.pf = basechain->ops.pf; - h->ops.hooknum = basechain->ops.hooknum; - h->ops.priority = basechain->ops.priority; - h->ops.priv = basechain->ops.priv; - h->ops.hook = basechain->ops.hook; + list_for_each_entry(ops, &h->ops_list, list) { + ops->pf = basechain->ops.pf; + ops->hooknum = basechain->ops.hooknum; + ops->priority = basechain->ops.priority; + ops->priv = basechain->ops.priv; + ops->hook = basechain->ops.hook; + } if (nft_hook_list_find(&basechain->hook_list, h)) { list_del(&h->list); @@ -2819,8 +2857,10 @@ static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy, err_hooks: if (nla[NFTA_CHAIN_HOOK]) { list_for_each_entry_safe(h, next, &hook.list, list) { - if (unregister) - nf_unregister_net_hook(ctx->net, &h->ops); + if (unregister) { + list_for_each_entry(ops, &h->ops_list, list) + nf_unregister_net_hook(ctx->net, ops); + } list_del(&h->list); nft_netdev_hook_free_rcu(h); } @@ -8420,6 +8460,7 @@ static int nft_flowtable_parse_hook(const struct nft_ctx *ctx, struct netlink_ext_ack *extack, bool add) { struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1]; + struct nf_hook_ops *ops; struct nft_hook *hook; int hooknum, priority; int err; @@ -8474,11 +8515,13 @@ static int nft_flowtable_parse_hook(const struct nft_ctx *ctx, } list_for_each_entry(hook, &flowtable_hook->list, list) { - hook->ops.pf = NFPROTO_NETDEV; - hook->ops.hooknum = flowtable_hook->num; - hook->ops.priority = flowtable_hook->priority; - hook->ops.priv = &flowtable->data; - hook->ops.hook = flowtable->data.type->hook; + list_for_each_entry(ops, &hook->ops_list, list) { + ops->pf = NFPROTO_NETDEV; + ops->hooknum = flowtable_hook->num; + ops->priority = flowtable_hook->priority; + ops->priv = &flowtable->data; + ops->hook = flowtable->data.type->hook; + } } return err; @@ -8520,12 +8563,12 @@ nft_flowtable_type_get(struct net *net, u8 family) } /* Only called from error and netdev event paths. */ -static void nft_unregister_flowtable_hook(struct net *net, - struct nft_flowtable *flowtable, - struct nft_hook *hook) +static void nft_unregister_flowtable_ops(struct net *net, + struct nft_flowtable *flowtable, + struct nf_hook_ops *ops) { - nf_unregister_net_hook(net, &hook->ops); - flowtable->data.type->setup(&flowtable->data, hook->ops.dev, + nf_unregister_net_hook(net, ops); + flowtable->data.type->setup(&flowtable->data, ops->dev, FLOW_BLOCK_UNBIND); } @@ -8533,10 +8576,17 @@ static void __nft_unregister_flowtable_net_hooks(struct net *net, struct list_head *hook_list, bool release_netdev) { + struct nf_hook_ops *ops, *nextops; struct nft_hook *hook, *next; list_for_each_entry_safe(hook, next, hook_list, list) { - nf_unregister_net_hook(net, &hook->ops); + list_for_each_entry_safe(ops, nextops, &hook->ops_list, list) { + nf_unregister_net_hook(net, ops); + if (release_netdev) { + list_del(&ops->list); + kfree(ops); + } + } if (release_netdev) { list_del(&hook->list); kfree_rcu(hook, rcu); @@ -8577,6 +8627,7 @@ static int nft_register_flowtable_net_hooks(struct net *net, { struct nft_hook *hook, *next; struct nft_flowtable *ft; + struct nf_hook_ops *ops; int err, i = 0; list_for_each_entry(hook, hook_list, list) { @@ -8590,21 +8641,25 @@ static int nft_register_flowtable_net_hooks(struct net *net, } } - err = nft_register_flowtable_ops(net, flowtable, &hook->ops); - if (err < 0) - goto err_unregister_net_hooks; + list_for_each_entry(ops, &hook->ops_list, list) { + err = nft_register_flowtable_ops(net, flowtable, ops); + if (err < 0) + goto err_unregister_net_hooks; - i++; + i++; + } } return 0; err_unregister_net_hooks: list_for_each_entry_safe(hook, next, hook_list, list) { - if (i-- <= 0) - break; + list_for_each_entry(ops, &hook->ops_list, list) { + if (i-- <= 0) + break; - nft_unregister_flowtable_hook(net, flowtable, hook); + nft_unregister_flowtable_ops(net, flowtable, ops); + } list_del_rcu(&hook->list); nft_netdev_hook_free_rcu(hook); } @@ -8629,6 +8684,7 @@ static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh, const struct nlattr * const *nla = ctx->nla; struct nft_flowtable_hook flowtable_hook; struct nft_hook *hook, *next; + struct nf_hook_ops *ops; struct nft_trans *trans; bool unregister = false; u32 flags; @@ -8686,8 +8742,11 @@ static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh, err_flowtable_update_hook: list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) { - if (unregister) - nft_unregister_flowtable_hook(ctx->net, flowtable, hook); + if (unregister) { + list_for_each_entry(ops, &hook->ops_list, list) + nft_unregister_flowtable_ops(ctx->net, + flowtable, ops); + } list_del_rcu(&hook->list); nft_netdev_hook_free_rcu(hook); } @@ -9193,11 +9252,14 @@ static void nf_tables_flowtable_notify(struct nft_ctx *ctx, static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable) { struct nft_hook *hook, *next; + struct nf_hook_ops *ops; flowtable->data.type->free(&flowtable->data); list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) { - flowtable->data.type->setup(&flowtable->data, hook->ops.dev, - FLOW_BLOCK_UNBIND); + list_for_each_entry(ops, &hook->ops_list, list) + flowtable->data.type->setup(&flowtable->data, + ops->dev, + FLOW_BLOCK_UNBIND); list_del_rcu(&hook->list); nft_netdev_hook_free_rcu(hook); } @@ -9235,9 +9297,12 @@ static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net, struct nf_hook_ops *nft_hook_find_ops(const struct nft_hook *hook, const struct net_device *dev) { - if (hook->ops.dev == dev) - return (struct nf_hook_ops *)&hook->ops; + struct nf_hook_ops *ops; + list_for_each_entry(ops, &hook->ops_list, list) { + if (ops->dev == dev) + return ops; + } return NULL; } EXPORT_SYMBOL_GPL(nft_hook_find_ops); @@ -9254,9 +9319,9 @@ static void nft_flowtable_event(unsigned long event, struct net_device *dev, continue; /* flow_offload_netdev_event() cleans up entries for us. */ - nft_unregister_flowtable_hook(dev_net(dev), flowtable, hook); - list_del_rcu(&hook->list); - kfree_rcu(hook, rcu); + nft_unregister_flowtable_ops(dev_net(dev), flowtable, ops); + list_del(&ops->list); + kfree(ops); break; } } diff --git a/net/netfilter/nf_tables_offload.c b/net/netfilter/nf_tables_offload.c index 75b756f0b9f0..fd30e205de84 100644 --- a/net/netfilter/nf_tables_offload.c +++ b/net/netfilter/nf_tables_offload.c @@ -220,6 +220,7 @@ static int nft_chain_offload_priority(const struct nft_base_chain *basechain) bool nft_chain_offload_support(const struct nft_base_chain *basechain) { + struct nf_hook_ops *ops; struct net_device *dev; struct nft_hook *hook; @@ -227,13 +228,16 @@ bool nft_chain_offload_support(const struct nft_base_chain *basechain) return false; list_for_each_entry(hook, &basechain->hook_list, list) { - if (hook->ops.pf != NFPROTO_NETDEV || - hook->ops.hooknum != NF_NETDEV_INGRESS) - return false; - - dev = hook->ops.dev; - if (!dev->netdev_ops->ndo_setup_tc && !flow_indr_dev_exists()) - return false; + list_for_each_entry(ops, &hook->ops_list, list) { + if (ops->pf != NFPROTO_NETDEV || + ops->hooknum != NF_NETDEV_INGRESS) + return false; + + dev = ops->dev; + if (!dev->netdev_ops->ndo_setup_tc && + !flow_indr_dev_exists()) + return false; + } } return true; @@ -455,34 +459,37 @@ static int nft_flow_block_chain(struct nft_base_chain *basechain, const struct net_device *this_dev, enum flow_block_command cmd) { - struct net_device *dev; + struct nf_hook_ops *ops; struct nft_hook *hook; int err, i = 0; list_for_each_entry(hook, &basechain->hook_list, list) { - dev = hook->ops.dev; - if (this_dev && this_dev != dev) - continue; + list_for_each_entry(ops, &hook->ops_list, list) { + if (this_dev && this_dev != ops->dev) + continue; - err = nft_chain_offload_cmd(basechain, dev, cmd); - if (err < 0 && cmd == FLOW_BLOCK_BIND) { - if (!this_dev) - goto err_flow_block; + err = nft_chain_offload_cmd(basechain, ops->dev, cmd); + if (err < 0 && cmd == FLOW_BLOCK_BIND) { + if (!this_dev) + goto err_flow_block; - return err; + return err; + } + i++; } - i++; } return 0; err_flow_block: list_for_each_entry(hook, &basechain->hook_list, list) { - if (i-- <= 0) - break; + list_for_each_entry(ops, &hook->ops_list, list) { + if (i-- <= 0) + break; - dev = hook->ops.dev; - nft_chain_offload_cmd(basechain, dev, FLOW_BLOCK_UNBIND); + nft_chain_offload_cmd(basechain, ops->dev, + FLOW_BLOCK_UNBIND); + } } return err; } diff --git a/net/netfilter/nft_chain_filter.c b/net/netfilter/nft_chain_filter.c index d34c6fe7ba72..2507e3beac5c 100644 --- a/net/netfilter/nft_chain_filter.c +++ b/net/netfilter/nft_chain_filter.c @@ -332,10 +332,8 @@ static void nft_netdev_event(unsigned long event, struct net_device *dev, if (!(ctx->chain->table->flags & NFT_TABLE_F_DORMANT)) nf_unregister_net_hook(ctx->net, ops); - - list_del_rcu(&hook->list); - kfree_rcu(hook, rcu); - break; + list_del(&ops->list); + kfree(ops); } } From patchwork Thu Sep 12 12:21:43 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1984650 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=UcwZcc9B; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:4601:e00::3; helo=am.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-3823-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from am.mirrors.kernel.org (am.mirrors.kernel.org [IPv6:2604:1380:4601:e00::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4X4Glj5bbMz1y1y for ; Thu, 12 Sep 2024 22:22:09 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 9E0FB1F225FF for ; Thu, 12 Sep 2024 12:22:07 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id D35061A3021; Thu, 12 Sep 2024 12:22:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="UcwZcc9B" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 563AE1A2657 for ; Thu, 12 Sep 2024 12:22:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1726143724; cv=none; b=bhOdcmHAk7cI3MazztcjFpW/X5XgxUGTIFhzyHyLVWZy4huVky/aYYyDvjz9Acn1znzZBXtTx58YSqqIPWDVTVGx4CWoWLnxRv5DoyiHV7u/8jNxJyQuhu5egn1OxxbvfzL3YFYr1KattimW9eOwrKXrc1ViZJG3VeL2skVmexY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1726143724; c=relaxed/simple; bh=s6BHbbKgnYTtdaBq96ZYD3b+X8Wx9Dt9uwbQyk932C4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ACAP3uq5omYBihLsFvzMxK3xm/CWeltzjLMlOGZkaX0HHvlaDFZ72OMW9P5R2UEcgp22ZXkfV1NZNkKRIVcrs6eW67eHIthJIkcEkV3r9AN8CBzpQn8gVYaXh545+lU1AI/h+J5UhhDUoRbd0Mst12ilu1HW9pltJkvUKnTX0yQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=UcwZcc9B; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=s+hdYPjHy51B83mynSlEIBjsIdD/JkM+tYg4cgrNF2g=; b=UcwZcc9BFEs+qGvqNI2K9akajm e8am4LbI6iTW51XH2DO2d78XLVcgHJVuluMHMRVRvrHIfozfGJV86A8GsLsC2aP6i1RQZp+oAnyzy /Doi99ykyGB0Ofas5eJkQu/zh6TKwsPWbbVRwji0qs9SpBo50gKcrSh9uDTgTSp7N1rH4Z6HEuU6Q NqnJiA+rQwZjNw5HhDAEwdhmwrJE37U4HmEqdxXcncrnkYZVwk9hci1OyQPZu3A0kRw6cZubfQDOc IHKhm3bQ4eyLDjACO8HNZZUUohz916AM44GuhJXpidYWtxPQXTzyOgPuW+BCANND+d5Z6VT/gs+C7 hS7ZYbDg==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97.1) (envelope-from ) id 1soipk-000000004Eh-2WIB; Thu, 12 Sep 2024 14:22:00 +0200 From: Phil Sutter To: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org, Florian Westphal , Eric Garver Subject: [nf-next PATCH v3 11/16] netfilter: nf_tables: chain: Respect NETDEV_REGISTER events Date: Thu, 12 Sep 2024 14:21:43 +0200 Message-ID: <20240912122148.12159-12-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240912122148.12159-1-phil@nwl.cc> References: <20240912122148.12159-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Hook into new devices if their name matches the hook spec. Signed-off-by: Phil Sutter --- net/netfilter/nft_chain_filter.c | 40 +++++++++++++++++++++++++------- 1 file changed, 32 insertions(+), 8 deletions(-) diff --git a/net/netfilter/nft_chain_filter.c b/net/netfilter/nft_chain_filter.c index 2507e3beac5c..ec44c27a9d91 100644 --- a/net/netfilter/nft_chain_filter.c +++ b/net/netfilter/nft_chain_filter.c @@ -326,14 +326,37 @@ static void nft_netdev_event(unsigned long event, struct net_device *dev, struct nft_hook *hook; list_for_each_entry(hook, &basechain->hook_list, list) { - ops = nft_hook_find_ops(hook, dev); - if (!ops) - continue; + switch (event) { + case NETDEV_UNREGISTER: + ops = nft_hook_find_ops(hook, dev); + if (!ops) + continue; - if (!(ctx->chain->table->flags & NFT_TABLE_F_DORMANT)) - nf_unregister_net_hook(ctx->net, ops); - list_del(&ops->list); - kfree(ops); + if (!(ctx->chain->table->flags & NFT_TABLE_F_DORMANT)) + nf_unregister_net_hook(ctx->net, ops); + list_del(&ops->list); + kfree(ops); + break; + case NETDEV_REGISTER: + if (strcmp(hook->ifname, dev->name)) + continue; + ops = kzalloc(sizeof(struct nf_hook_ops), + GFP_KERNEL_ACCOUNT); + if (ops) { + memcpy(ops, &basechain->ops, sizeof(*ops)); + ops->dev = dev; + } + if (ops && + (ctx->chain->table->flags & NFT_TABLE_F_DORMANT || + !nf_register_net_hook(dev_net(dev), ops))) { + list_add_tail(&ops->list, &hook->ops_list); + break; + } + printk(KERN_ERR "chain %s: Can't hook into device %s\n", + ctx->chain->name, dev->name); + kfree(ops); + continue; + } } } @@ -349,7 +372,8 @@ static int nf_tables_netdev_event(struct notifier_block *this, .net = dev_net(dev), }; - if (event != NETDEV_UNREGISTER) + if (event != NETDEV_REGISTER && + event != NETDEV_UNREGISTER) return NOTIFY_DONE; nft_net = nft_pernet(ctx.net); From patchwork Thu Sep 12 12:21:44 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1984663 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=D/EfKiXE; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:40f1:3f00::1; helo=sy.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-3834-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org [IPv6:2604:1380:40f1:3f00::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4X4HHz4GFFz1y1C for ; Thu, 12 Sep 2024 22:46:39 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 544C7B2401D for ; Thu, 12 Sep 2024 12:46:39 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 9A8C11A76D7; Thu, 12 Sep 2024 12:45:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="D/EfKiXE" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AFEA71A304C for ; Thu, 12 Sep 2024 12:45:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1726145129; cv=none; b=Moh3C7BJlSlL+0sxZZb90QIe01/Qslzv2sILfgMD6eEX60VsK2zkrct/+aRzxX+H8+qJdT2hNBo/YhVEUlh1O+aYKFJITPOt5x9gKXjhn2e8t0kWKeTAsLx5jPFCQVFjLf7aSJjgThSYDqHsuIeFEGXxwKziTKm1Cj36WnZDE7M= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1726145129; c=relaxed/simple; bh=t3Ee95MHjeyrmSNyugjlFjW6wOPiNxlmHdhPjO+uFpw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=l3BjEgmfLo36JClCt5PCy2TF2fT53Q+g4MC0u8nRbrz9rGBF27xSXUX7SRtpIUsPyMXrVhMz/1cdSUxejNpq4G3Rwe0c4DvzzOPwmmKnEVTCYs2u6+ZPqAdWHxcegM8sbOo0lNyBlFFH2KQ4NBcXnD6sYxne0rVayjdQT0Cq07M= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=D/EfKiXE; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=TanlLLDTixftNoWFm/mW+HQx8h1sVyqCIn8xWo5u/lw=; b=D/EfKiXEGPYriRVooNId86/6ih R53qZnXkgTs0tvOz27ydKhqO3sOVfUH8+tV0PnZe0EUcwAkmOqCYnI+fEaVdJoaIlFu8prR9v0Ifq wJYp0JKUnSG9MOkeTOB8AIKoy4vWAJ6zNENmRqseMi/s0/U1WrLAws67x9xyLhIKpH3TCieUxiQ4I ak2oXpG14DjQJxpLmirXD5617f8sRswGJtCQqzihR9Zo9ISBilprlbfSx509PNGv8Pq7hKqFgH1Um euUlBGzk74vultQu47QmpcQOlYVMeyPsB3ufiFmg+3+QJZ8nDCZy8vjBoiY5cQwFrTYc9n2EBhS9e lHFHyjhg==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97.1) (envelope-from ) id 1soipf-000000004Da-05GH; Thu, 12 Sep 2024 14:21:55 +0200 From: Phil Sutter To: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org, Florian Westphal , Eric Garver Subject: [nf-next PATCH v3 12/16] netfilter: nf_tables: flowtable: Respect NETDEV_REGISTER events Date: Thu, 12 Sep 2024 14:21:44 +0200 Message-ID: <20240912122148.12159-13-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240912122148.12159-1-phil@nwl.cc> References: <20240912122148.12159-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Hook into new devices if their name matches the hook spec. Signed-off-by: Phil Sutter --- net/netfilter/nf_tables_api.c | 47 +++++++++++++++++++++++++++-------- 1 file changed, 37 insertions(+), 10 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 64f8305189f1..40cff8539c74 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -9314,15 +9314,41 @@ static void nft_flowtable_event(unsigned long event, struct net_device *dev, struct nft_hook *hook; list_for_each_entry(hook, &flowtable->hook_list, list) { - ops = nft_hook_find_ops(hook, dev); - if (!ops) - continue; + switch (event) { + case NETDEV_UNREGISTER: + ops = nft_hook_find_ops(hook, dev); + if (!ops) + continue; - /* flow_offload_netdev_event() cleans up entries for us. */ - nft_unregister_flowtable_ops(dev_net(dev), flowtable, ops); - list_del(&ops->list); - kfree(ops); - break; + /* flow_offload_netdev_event() cleans up entries for us. */ + nft_unregister_flowtable_ops(dev_net(dev), + flowtable, ops); + list_del(&ops->list); + kfree(ops); + break; + case NETDEV_REGISTER: + if (strcmp(hook->ifname, dev->name)) + continue; + ops = kzalloc(sizeof(struct nf_hook_ops), + GFP_KERNEL_ACCOUNT); + if (ops) { + ops->pf = NFPROTO_NETDEV; + ops->hooknum = flowtable->hooknum; + ops->priority = flowtable->data.priority; + ops->priv = &flowtable->data; + ops->hook = flowtable->data.type->hook; + ops->dev = dev; + } + if (ops && !nft_register_flowtable_ops(dev_net(dev), + flowtable, ops)) { + list_add_tail(&ops->list, &hook->ops_list); + break; + } + printk(KERN_ERR "flowtable %s: Can't hook into device %s\n", + flowtable->name, dev->name); + kfree(ops); + continue; + } } } @@ -9335,8 +9361,9 @@ static int nf_tables_flowtable_event(struct notifier_block *this, struct nft_table *table; struct net *net; - if (event != NETDEV_UNREGISTER) - return 0; + if (event != NETDEV_REGISTER && + event != NETDEV_UNREGISTER) + return NOTIFY_DONE; net = dev_net(dev); nft_net = nft_pernet(net); From patchwork Thu Sep 12 12:21:45 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1984667 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=bgoGJG/z; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:4601:e00::3; helo=am.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-3837-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from am.mirrors.kernel.org (am.mirrors.kernel.org [IPv6:2604:1380:4601:e00::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4X4HJ74xhQz1y1C for ; Thu, 12 Sep 2024 22:46:47 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 7E8BC1F2479D for ; Thu, 12 Sep 2024 12:46:45 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 141541AAE15; Thu, 12 Sep 2024 12:45:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="bgoGJG/z" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 57FBC1A7AE3 for ; Thu, 12 Sep 2024 12:45:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1726145141; cv=none; b=SBlGaKbh1ivgA3gBGLnL5MOJsykfwqP3+hIvTtAg8fado8LMJFQYzhefwMihVrgb9svFBCkfzMsG707vIpTbauu5qUh/7od4uczDUlAHoO0s+TaK/M/YTtCfC6A9joNByKrIb7LV225vQk0YJ0rU7Xcsgirl4aW8+E7v30262J4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1726145141; c=relaxed/simple; bh=hdO33bZYWUXTA2ZWtPUzBCvsaHLJ8k7RWYycXs6s/tw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=o6UyrT5KrAWsmWkOgliRpCh34Mkfv/xhWv2aDUuoGdIG5vu9MNyYZJ5F7Lrmx0akPXJ79ZRTX92cnEMXPf42AeKLnLX/JI+9d8LAzUUjkVoEU/w08cNmNbXCEX9Zus5Cmi1L7meeKcNv16O8PJDsRLEAfkqFXVonlT8YViLTSBY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=bgoGJG/z; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=6cTrgOBMJ0fmS03g0nS1f7ZauA8PCmX0/1nA4xv955E=; b=bgoGJG/z046ACJ8OtjKOQNqGkW DtOQT0u7+MRqT5qfNPd1JpH6dsE4A6m6QxdqBG53eKQuUQuYg8lv2RMEq8Ui/ybglVmw+01qDh+8f oAdYMjcy4uxqsjDgMKGaq7431ikDhVOp/iYzDVyCM5LSjSQ/8VksLCVTjo3QDvr4lmoqulL/dbDjZ M1F04XZPsb49tIeuUugcBimCbaH7ZgUm5AjcCvoFSTcZEe0H4CKYlGfa5bd6EAnMUfCXbm95gpdiw XuYuJ7SgCwZqa42MqDiJYWlC+6RuQXzaxBizAjURpC1YLpNFASYDIOm/5eEnZfEW//SS1Pz736Wvf mWBiX/BQ==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97.1) (envelope-from ) id 1soipd-000000004DM-3zHK; Thu, 12 Sep 2024 14:21:53 +0200 From: Phil Sutter To: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org, Florian Westphal , Eric Garver Subject: [nf-next PATCH v3 13/16] netfilter: nf_tables: Handle NETDEV_CHANGENAME events Date: Thu, 12 Sep 2024 14:21:45 +0200 Message-ID: <20240912122148.12159-14-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240912122148.12159-1-phil@nwl.cc> References: <20240912122148.12159-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 For the sake of simplicity, treat them like consecutive NETDEV_UNREGISTER and NETDEV_REGISTER events. Signed-off-by: Phil Sutter --- net/netfilter/nf_tables_api.c | 4 ++++ net/netfilter/nft_chain_filter.c | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 40cff8539c74..88528775732a 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -9361,6 +9361,10 @@ static int nf_tables_flowtable_event(struct notifier_block *this, struct nft_table *table; struct net *net; + if (event == NETDEV_CHANGENAME) { + nf_tables_flowtable_event(this, NETDEV_UNREGISTER, ptr); + event = NETDEV_REGISTER; + } if (event != NETDEV_REGISTER && event != NETDEV_UNREGISTER) return NOTIFY_DONE; diff --git a/net/netfilter/nft_chain_filter.c b/net/netfilter/nft_chain_filter.c index ec44c27a9d91..4f13591e5cd1 100644 --- a/net/netfilter/nft_chain_filter.c +++ b/net/netfilter/nft_chain_filter.c @@ -372,6 +372,10 @@ static int nf_tables_netdev_event(struct notifier_block *this, .net = dev_net(dev), }; + if (event == NETDEV_CHANGENAME) { + nf_tables_netdev_event(this, NETDEV_UNREGISTER, ptr); + event = NETDEV_REGISTER; + } if (event != NETDEV_REGISTER && event != NETDEV_UNREGISTER) return NOTIFY_DONE; From patchwork Thu Sep 12 12:21:46 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1984652 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=SDCqoZnR; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=147.75.48.161; helo=sy.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-3825-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org [147.75.48.161]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4X4Glm4zF9z1y1y for ; Thu, 12 Sep 2024 22:22:12 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 72085B21CD0 for ; Thu, 12 Sep 2024 12:22:12 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id C62551A3048; Thu, 12 Sep 2024 12:22:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="SDCqoZnR" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 175BB1A0BD3 for ; Thu, 12 Sep 2024 12:22:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1726143725; cv=none; b=FBoA4it9LqmScMsz0ZVbr+a+iHhWkNcPIUX193j/QH16pYZNfTvOdPId3+/KOJkd3R7+LMy29IQN2zuAb+jz1kxADt7UytVcnNyU6CnFGxDL+MzYmMGg7sMuJjNe7djePUG53Ut1HlBXn0xKN4ej7v2QhmtnxDfMhV81Hh3nLw4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1726143725; c=relaxed/simple; bh=TRz+RZNR5nlPrlTJIIbeLMg18vJj4fXVclzkekqXPJ8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=btmDUq4B8rodHdz/6gOJPrtIB0zS9tZKNqxW0D8EDoRwtWpJfPCdzXWPI1VVE5hHxboYVhCt5sfskTbxGAf9rKdtkmSvWjYzaWIuOqqwA8+HcyAjlk+GwZ1/lVGgE+ftsuMqjzj20X/3YcVC/M/yeHKAgH9CdwR6/D7eXUpSHRA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=SDCqoZnR; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=tvnMCrfU58qp7P3UDQwIZ9rx3qmxn2URdF5feUvpc20=; b=SDCqoZnREP5KpDOheaUaPqI2KJ 2JSOTVL2ILiz8kpeY/gBSbXswrC4GPG65X2BGe9cQqwRKN2lNPhsGh/u7AsYlWzSET1WO+XmHH6A5 HZIxcut/SHqlpHBHaHI6/uu1c3zq0jhWLcYHA0300gJCYYHQO19fZTIyfAFK6hcdgVaaEEPPRC2yA QgF8F7v2GogyVDbN5YgwcB/r4LZwU+JetKhQ+ok3PUc7gXPXYnO/ZcefjRxkqW2y2c2DK6MzAY6f+ cpBCX2GNI01HcVLnJ0D60WoDeZNjDBgvXaJCUHrl1qOacvzIhgGojLhfa3ZBIIX3xjz0WZtCXX1md DBHzZOJw==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97.1) (envelope-from ) id 1soipk-000000004EY-0Ht1; Thu, 12 Sep 2024 14:22:00 +0200 From: Phil Sutter To: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org, Florian Westphal , Eric Garver Subject: [nf-next PATCH v3 14/16] netfilter: nf_tables: Support wildcard netdev hook specs Date: Thu, 12 Sep 2024 14:21:46 +0200 Message-ID: <20240912122148.12159-15-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240912122148.12159-1-phil@nwl.cc> References: <20240912122148.12159-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User space may pass non-nul-terminated NFTA_DEVICE_NAME attribute values to indicate a suffix wildcard. Expect for multiple devices to match the given prefix in nft_netdev_hook_alloc() and populate 'ops_list' with them all. When checking for duplicate hooks, compare the shortest prefix so a device may never match more than a single hook spec. Finally respect the stored prefix length when hooking into new devices from event handlers. Signed-off-by: Phil Sutter --- net/netfilter/nf_tables_api.c | 31 +++++++++++++++---------------- net/netfilter/nft_chain_filter.c | 2 +- 2 files changed, 16 insertions(+), 17 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 88528775732a..3632be26d73a 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -2225,24 +2225,22 @@ static struct nft_hook *nft_netdev_hook_alloc(struct net *net, * indirectly serializing all the other holders of the commit_mutex with * the rtnl_mutex. */ - dev = __dev_get_by_name(net, hook->ifname); - if (!dev) { - err = -ENOENT; - goto err_hook_dev; - } + for_each_netdev(net, dev) { + if (strncmp(dev->name, hook->ifname, hook->ifnamelen)) + continue; - ops = kzalloc(sizeof(struct nf_hook_ops), GFP_KERNEL_ACCOUNT); - if (!ops) { - err = -ENOMEM; - goto err_hook_dev; + ops = kzalloc(sizeof(struct nf_hook_ops), GFP_KERNEL_ACCOUNT); + if (!ops) { + err = -ENOMEM; + goto err_ops_alloc; + } + ops->dev = dev; + list_add_tail(&ops->list, &hook->ops_list); } - ops->dev = dev; - list_add_tail(&ops->list, &hook->ops_list); - return hook; -err_hook_dev: - kfree(hook); +err_ops_alloc: + nft_netdev_hook_free(hook); err_hook_alloc: return ERR_PTR(err); } @@ -2253,7 +2251,8 @@ static struct nft_hook *nft_hook_list_find(struct list_head *hook_list, struct nft_hook *hook; list_for_each_entry(hook, hook_list, list) { - if (!strcmp(hook->ifname, this->ifname)) + if (!strncmp(hook->ifname, this->ifname, + min(hook->ifnamelen, this->ifnamelen))) return hook; } @@ -9327,7 +9326,7 @@ static void nft_flowtable_event(unsigned long event, struct net_device *dev, kfree(ops); break; case NETDEV_REGISTER: - if (strcmp(hook->ifname, dev->name)) + if (strncmp(hook->ifname, dev->name, hook->ifnamelen)) continue; ops = kzalloc(sizeof(struct nf_hook_ops), GFP_KERNEL_ACCOUNT); diff --git a/net/netfilter/nft_chain_filter.c b/net/netfilter/nft_chain_filter.c index 4f13591e5cd1..d691f8354049 100644 --- a/net/netfilter/nft_chain_filter.c +++ b/net/netfilter/nft_chain_filter.c @@ -338,7 +338,7 @@ static void nft_netdev_event(unsigned long event, struct net_device *dev, kfree(ops); break; case NETDEV_REGISTER: - if (strcmp(hook->ifname, dev->name)) + if (strncmp(hook->ifname, dev->name, hook->ifnamelen)) continue; ops = kzalloc(sizeof(struct nf_hook_ops), GFP_KERNEL_ACCOUNT); From patchwork Thu Sep 12 12:21:47 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1984666 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=d0u9u7xA; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:40f1:3f00::1; helo=sy.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-3838-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org [IPv6:2604:1380:40f1:3f00::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4X4HJ801HHz1y28 for ; Thu, 12 Sep 2024 22:46:47 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 8FA7AB259AA for ; Thu, 12 Sep 2024 12:46:47 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 17E9F33CD2; Thu, 12 Sep 2024 12:45:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="d0u9u7xA" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3CFAA1A42CA for ; Thu, 12 Sep 2024 12:45:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1726145144; cv=none; b=aOCj9MobsLQOK+myfNN5u6bI3tlKBC+IwX0R2m26vc6rUq9s0HIJrCMggwDqEslXmspgTb9nJq2TGC/A0Zu20HzYyrCgnK9jWjN8QRn2llJ7duC8bYhiQ+IqB76ZQmnZdoCurx31hzLnsSXm6updGVzqN/9PNBJJLJRKdF+JHY8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1726145144; c=relaxed/simple; bh=CyO8qO7SUEQdxeK2cbYL9BvOKbyZ4Sgi0QNlQ/cyePQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=W1U3MYNtlR1VC/+0XwCIr6Vg/qe+F2U6klVGvv4D+Gq+nDWd8ZTNs5sVc/RAQ9DinMdt47+8XbFUJzAQVGIV93bf30K9jNtrrDecfZzySGfeDM65b+z4kmrWzc2P5o3CFMKZKO4TvdfeOHr/9P4Pev4u0z/rSMQZT8u0Rgh0O1Y= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=d0u9u7xA; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=yGYNlF7Hju0hi63FK674X44pR83gftzWViqeNTffo6c=; b=d0u9u7xAxiMOIUblHSfTacyv9a l7WVk1BkajGdDkxJO/dxlYeZrxB6nbm7tVpheYOJSBtHutLXfj4Ld4MMgMmLJNRxOHZlBrsEXFBEI M+T/dTPNgcKLqEaQjKVcMnvLSODjMmXemlZ787cQJVVsVtdotQqDk5JkmMiglbANJZCAHxHQPrKzb vKuch7yWUihTOm7x/HNteVBTssOBo3ZHDYU/qA2ts2VE8hyrVRseYgf/HzAxGGXxpr+3KYEMhbqRX SwE8PPM8S2EflCDay1Gqr4PCuvFRWT7USMD8YCR9Q+AX08mERMnv5f3Mp4ypEDZscvMbroJ2D3I/E 4JbhtuUA==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97.1) (envelope-from ) id 1soipi-000000004EC-1Vd9; Thu, 12 Sep 2024 14:21:58 +0200 From: Phil Sutter To: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org, Florian Westphal , Eric Garver Subject: [nf-next PATCH v3 15/16] netfilter: nf_tables: Add notications for hook changes Date: Thu, 12 Sep 2024 14:21:47 +0200 Message-ID: <20240912122148.12159-16-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240912122148.12159-1-phil@nwl.cc> References: <20240912122148.12159-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Notify user space if netdev hooks are updated due to netdev add/remove events. Send minimal notification messages by introducing NFT_MSG_NEWDEV/DELDEV message types describing a single device only. Signed-off-by: Phil Sutter --- include/net/netfilter/nf_tables.h | 2 + include/uapi/linux/netfilter/nf_tables.h | 5 +++ net/netfilter/nf_tables_api.c | 57 ++++++++++++++++++++++++ net/netfilter/nft_chain_filter.c | 1 + 4 files changed, 65 insertions(+) diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h index 991b8d5e52f1..3ebdb46b3993 100644 --- a/include/net/netfilter/nf_tables.h +++ b/include/net/netfilter/nf_tables.h @@ -1131,6 +1131,8 @@ int nft_setelem_validate(const struct nft_ctx *ctx, struct nft_set *set, int nft_set_catchall_validate(const struct nft_ctx *ctx, struct nft_set *set); int nf_tables_bind_chain(const struct nft_ctx *ctx, struct nft_chain *chain); void nf_tables_unbind_chain(const struct nft_ctx *ctx, struct nft_chain *chain); +void nf_tables_chain_device_notify(const struct nft_chain *chain, + const struct net_device *dev, int event); enum nft_chain_types { NFT_CHAIN_T_DEFAULT = 0, diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h index 639894ed1b97..0f350f2fc807 100644 --- a/include/uapi/linux/netfilter/nf_tables.h +++ b/include/uapi/linux/netfilter/nf_tables.h @@ -142,6 +142,8 @@ enum nf_tables_msg_types { NFT_MSG_DESTROYOBJ, NFT_MSG_DESTROYFLOWTABLE, NFT_MSG_GETSETELEM_RESET, + NFT_MSG_NEWDEV, + NFT_MSG_DELDEV, NFT_MSG_MAX, }; @@ -1772,6 +1774,9 @@ enum nft_synproxy_attributes { enum nft_devices_attributes { NFTA_DEVICE_UNSPEC, NFTA_DEVICE_NAME, + NFTA_DEVICE_TABLE, + NFTA_DEVICE_FLOWTABLE, + NFTA_DEVICE_CHAIN, __NFTA_DEVICE_MAX }; #define NFTA_DEVICE_MAX (__NFTA_DEVICE_MAX - 1) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 3632be26d73a..cdca5dfbe0b5 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -9306,6 +9306,62 @@ struct nf_hook_ops *nft_hook_find_ops(const struct nft_hook *hook, } EXPORT_SYMBOL_GPL(nft_hook_find_ops); +static void +nf_tables_device_notify(const struct nft_table *table, int attr, + const char *name, const struct net_device *dev, + int event) +{ + struct net *net = dev_net(dev); + struct nlmsghdr *nlh; + struct sk_buff *skb; + u16 flags = 0; + + if (!nfnetlink_has_listeners(net, NFNLGRP_NFTABLES)) + return; + + skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); + if (!skb) + goto err; + + event = event == NETDEV_REGISTER ? NFT_MSG_NEWDEV : NFT_MSG_DELDEV; + event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); + nlh = nfnl_msg_put(skb, 0, 0, event, flags, table->family, + NFNETLINK_V0, nft_base_seq(net)); + if (!nlh) + goto err; + + if (nla_put_string(skb, NFTA_DEVICE_TABLE, table->name) || + nla_put_string(skb, attr, name) || + nla_put_string(skb, NFTA_DEVICE_NAME, dev->name)) + goto err; + + nlmsg_end(skb, nlh); + nfnetlink_send(skb, net, 0, NFNLGRP_NFTABLES, + nlmsg_report(nlh), GFP_KERNEL); + return; +err: + if (skb) + kfree_skb(skb); + nfnetlink_set_err(net, 0, NFNLGRP_NFTABLES, -ENOBUFS); +} + +void +nf_tables_chain_device_notify(const struct nft_chain *chain, + const struct net_device *dev, int event) +{ + nf_tables_device_notify(chain->table, NFTA_DEVICE_CHAIN, + chain->name, dev, event); +} + +static void +nf_tables_flowtable_device_notify(const struct nft_flowtable *ft, + const struct net_device *dev, int event) +{ + nf_tables_device_notify(ft->table, NFTA_DEVICE_FLOWTABLE, + ft->name, dev, event); +} + + static void nft_flowtable_event(unsigned long event, struct net_device *dev, struct nft_flowtable *flowtable) { @@ -9348,6 +9404,7 @@ static void nft_flowtable_event(unsigned long event, struct net_device *dev, kfree(ops); continue; } + nf_tables_flowtable_device_notify(flowtable, dev, event); } } diff --git a/net/netfilter/nft_chain_filter.c b/net/netfilter/nft_chain_filter.c index d691f8354049..c9de9b12f772 100644 --- a/net/netfilter/nft_chain_filter.c +++ b/net/netfilter/nft_chain_filter.c @@ -357,6 +357,7 @@ static void nft_netdev_event(unsigned long event, struct net_device *dev, kfree(ops); continue; } + nf_tables_chain_device_notify(ctx->chain, dev, event); } } From patchwork Thu Sep 12 12:21:48 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1984668 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=j58rN+5z; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:45e3:2400::1; helo=sv.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-3839-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org [IPv6:2604:1380:45e3:2400::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4X4HJ96tm6z1y1C for ; Thu, 12 Sep 2024 22:46:49 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id ACBA5285DFE for ; Thu, 12 Sep 2024 12:46:48 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 7E59F1A76A6; Thu, 12 Sep 2024 12:45:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="j58rN+5z" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8C5F81A4E99 for ; Thu, 12 Sep 2024 12:45:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1726145149; cv=none; b=KkgHZsIPN59qUWUNrHjX/coD0XYk87pbh4AhFXzJ7g6vBGvJy+E+ec5AK5QQQ3aXBeG7YnAaZc5vgVmSPYeN7IlpxWPkfC2LyWOrLb/r89XsDG2D8qxVIYMDEuR/ow9AXBPCtRREtu9Q2B+/IPa9tMi5InBsm1XZaVeHz+h1FLU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1726145149; c=relaxed/simple; bh=pGvmHzxe8QWE2uDaOUfsyHpAkQBjgL1enHfsRgpANQM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=BV//YPbP7arwYwWvpyW5/QNEnhU8ihk7nUKqE7jybahUrgp5B9gbbZESsSD3UK54EytWucd/RpQLJ0weIHidwxDrv5YClCM/J0Hm/bWQYUOxAwkeqiwm6YFBT+7m+oDIAH9fL2b36q11EfboDddfOnn4iHNtPgxUNx0L395Lopw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=j58rN+5z; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=AvURGXYgkc0wxYONbBgoxJfbE5HiJ/COF4wnJ2i4G3Y=; b=j58rN+5zwkNLiAL9QxuodRU1bj J+9DeJaXnirYynqOcryGYwt317un/MCo17UCg/lkBkqyDjCfOvwhNHblxkXMZOdQ1A8lLkU4spcdn cUqHaFwOVS+Nf/FGp651MKzYCuMeLLzuJ2/HEeoaa7LR6yJEVHYqR6mw9DsE/P32eZpAexnO/F07h B+QDToVnV6JAxP/nKUtdbvERth5hbSyT/L2MPc867JNxlYzMWwp947nFWeEgf1KhEAZy+Whe76Wx2 CZWV76uagSYWPvyy3/hi/WJhhWcBjJR33ZezhXOapFviubzVxZqT7M9G/AOncuUMyRzYqRLriv9t6 JRM5c6Qg==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97.1) (envelope-from ) id 1soipi-000000004EK-42fx; Thu, 12 Sep 2024 14:21:58 +0200 From: Phil Sutter To: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org, Florian Westphal , Eric Garver Subject: [nf-next PATCH v3 16/16] selftests: netfilter: Torture nftables netdev hooks Date: Thu, 12 Sep 2024 14:21:48 +0200 Message-ID: <20240912122148.12159-17-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240912122148.12159-1-phil@nwl.cc> References: <20240912122148.12159-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Add a ruleset which binds to various interface names via netdev-family chains and flowtables and massage the notifiers by frequently renaming interfaces to match these names. While doing so: - Keep an 'nft monitor' running in background to receive the notifications - Loop over 'nft list ruleset' to exercise ruleset dump codepath - Have iperf running so the involved chains/flowtables see traffic If supported, also test interface wildcard support separately by creating a flowtable with 'wild*' interface spec and quickly add/remove matching dummy interfaces. Signed-off-by: Phil Sutter --- .../testing/selftests/net/netfilter/Makefile | 1 + .../net/netfilter/nft_interface_stress.sh | 149 ++++++++++++++++++ 2 files changed, 150 insertions(+) create mode 100755 tools/testing/selftests/net/netfilter/nft_interface_stress.sh diff --git a/tools/testing/selftests/net/netfilter/Makefile b/tools/testing/selftests/net/netfilter/Makefile index d13fb5ea3e89..823e0acf7171 100644 --- a/tools/testing/selftests/net/netfilter/Makefile +++ b/tools/testing/selftests/net/netfilter/Makefile @@ -21,6 +21,7 @@ TEST_PROGS += nft_concat_range.sh TEST_PROGS += nft_conntrack_helper.sh TEST_PROGS += nft_fib.sh TEST_PROGS += nft_flowtable.sh +TEST_PROGS += nft_interface_stress.sh TEST_PROGS += nft_meta.sh TEST_PROGS += nft_nat.sh TEST_PROGS += nft_nat_zones.sh diff --git a/tools/testing/selftests/net/netfilter/nft_interface_stress.sh b/tools/testing/selftests/net/netfilter/nft_interface_stress.sh new file mode 100755 index 000000000000..92ce1d35ec19 --- /dev/null +++ b/tools/testing/selftests/net/netfilter/nft_interface_stress.sh @@ -0,0 +1,149 @@ +#!/bin/bash -e +# +# SPDX-License-Identifier: GPL-2.0 +# +# Torture nftables' netdevice notifier callbacks and related code by frequent +# renaming of interfaces which netdev-family chains and flowtables hook into. + +source lib.sh + +checktool "nft --version" "run test without nft tool" +checktool "iperf3 --version" "run test without iperf3 tool" + +# how many seconds to torture the kernel, default to 80% of max run time +TEST_RUNTIME=$((${kselftest_timeout:-60} * 8 / 10)) + +trap "cleanup_all_ns" EXIT + +setup_ns nsc nsr nss + +ip -net $nsc link add cr0 type veth peer name rc0 netns $nsr +ip -net $nsc addr add 10.0.0.1/24 dev cr0 +ip -net $nsc link set cr0 up +ip -net $nsc route add default via 10.0.0.2 + +ip -net $nss link add sr0 type veth peer name rs0 netns $nsr +ip -net $nss addr add 10.1.0.1/24 dev sr0 +ip -net $nss link set sr0 up +ip -net $nss route add default via 10.1.0.2 + +ip -net $nsr addr add 10.0.0.2/24 dev rc0 +ip -net $nsr link set rc0 up +ip -net $nsr addr add 10.1.0.2/24 dev rs0 +ip -net $nsr link set rs0 up +ip netns exec $nsr sysctl -q net.ipv4.ip_forward=1 +ip netns exec $nsr sysctl -q net.ipv4.conf.all.forwarding=1 + +{ + echo "table netdev t {" + for ((i = 0; i < 10; i++)); do + cat <<-EOF + chain chain_rc$i { + type filter hook ingress device rc$i priority 0 + counter + } + chain chain_rs$i { + type filter hook ingress device rs$i priority 0 + counter + } + EOF + done + echo "}" + echo "table ip t {" + for ((i = 0; i < 10; i++)); do + cat <<-EOF + flowtable ft_${i} { + hook ingress priority 0 + devices = { rc$i, rs$i } + } + EOF + done + echo "chain c {" + echo "type filter hook forward priority 0" + for ((i = 0; i < 10; i++)); do + echo -n "iifname rc$i oifname rs$i " + echo "ip protocol tcp counter flow add @ft_${i}" + done + echo "counter" + echo "}" + echo "}" +} | ip netns exec $nsr nft -f - || { + echo "SKIP: Could not load nft ruleset" + exit $ksft_skip +} + +for ((o=0, n=1; ; o=n, n++, n %= 10)); do + ip -net $nsr link set rc$o name rc$n + ip -net $nsr link set rs$o name rs$n +done & +rename_loop_pid=$! + +while true; do ip netns exec $nsr nft list ruleset >/dev/null 2>&1; done & +nft_list_pid=$! + +ip netns exec $nsr nft monitor >/dev/null & +nft_monitor_pid=$! + +ip netns exec $nss iperf3 --server --daemon -1 +summary_expr='s,^\[SUM\] .* \([0-9]\+\) Mbits/sec .* receiver,\1,p' +rate=$(ip netns exec $nsc iperf3 \ + --format m -c 10.1.0.1 --time $TEST_RUNTIME \ + --length 56 --parallel 10 -i 0 | sed -n "$summary_expr") + +kill $nft_list_pid +kill $nft_monitor_pid +kill $rename_loop_pid +wait + +ip netns exec $nsr nft -f - <