UbiquitousOS
/
OpenCloudOS-Kernel
mirror of https://gitee.com/OpenCloudOS/OpenCloudOS-Kernel.git
11
0
Fork 0
Code Issues Projects Releases Wiki Activity

netfilter: nftables: allow to update flowtable flags 

Honor flowtable flags from the control update path. Disallow disabling
to toggle hardware offload support though.

Fixes: 8bb69f3b29 ("netfilter: nf_tables: add flowtable offload control plane")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
Pablo Neira Ayuso 2021-03-17 12:54:57 +01:00
parent 7e6136f1b7
commit 7b35582cd0
2 changed files with 18 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
include/net/netfilter/nf_tables.h
View File

@ -1536,6 +1536,7 @@ struct nft_trans_flowtable {
struct nft_flowtable *flowtable; struct nft_flowtable *flowtable;
bool update; bool update;
struct list_head hook_list; struct list_head hook_list;
u32 flags;
}; };
#define nft_trans_flowtable(trans) \ #define nft_trans_flowtable(trans) \
@ -1544,6 +1545,8 @@ struct nft_trans_flowtable {
(((struct nft_trans_flowtable *)trans->data)->update) (((struct nft_trans_flowtable *)trans->data)->update)
#define nft_trans_flowtable_hooks(trans) \ #define nft_trans_flowtable_hooks(trans) \
(((struct nft_trans_flowtable *)trans->data)->hook_list) (((struct nft_trans_flowtable *)trans->data)->hook_list)
#define nft_trans_flowtable_flags(trans) \
(((struct nft_trans_flowtable *)trans->data)->flags)
int __init nft_chain_filter_init(void); int __init nft_chain_filter_init(void);
void nft_chain_filter_fini(void); void nft_chain_filter_fini(void);

15
net/netfilter/nf_tables_api.c
View File

@ -6842,6 +6842,7 @@ static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh,
struct nft_hook *hook, *next; struct nft_hook *hook, *next;
struct nft_trans *trans; struct nft_trans *trans;
bool unregister = false; bool unregister = false;
u32 flags;
int err; int err;
err = nft_flowtable_parse_hook(ctx, nla[NFTA_FLOWTABLE_HOOK], err = nft_flowtable_parse_hook(ctx, nla[NFTA_FLOWTABLE_HOOK],
@ -6856,6 +6857,17 @@ static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh,
} }
} }
if (nla[NFTA_FLOWTABLE_FLAGS]) {
flags = ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
if (flags & ~NFT_FLOWTABLE_MASK)
return -EOPNOTSUPP;
if ((flowtable->data.flags & NFT_FLOWTABLE_HW_OFFLOAD) ^
(flags & NFT_FLOWTABLE_HW_OFFLOAD))
return -EOPNOTSUPP;
} else {
flags = flowtable->data.flags;
}
err = nft_register_flowtable_net_hooks(ctx->net, ctx->table, err = nft_register_flowtable_net_hooks(ctx->net, ctx->table,
&flowtable_hook.list, flowtable); &flowtable_hook.list, flowtable);
if (err < 0) if (err < 0)
@ -6869,6 +6881,7 @@ static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh,
goto err_flowtable_update_hook; goto err_flowtable_update_hook;
} }
nft_trans_flowtable_flags(trans) = flags;
nft_trans_flowtable(trans) = flowtable; nft_trans_flowtable(trans) = flowtable;
nft_trans_flowtable_update(trans) = true; nft_trans_flowtable_update(trans) = true;
INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans)); INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
@ -8178,6 +8191,8 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb)
break; break;
case NFT_MSG_NEWFLOWTABLE: case NFT_MSG_NEWFLOWTABLE:
if (nft_trans_flowtable_update(trans)) { if (nft_trans_flowtable_update(trans)) {
nft_trans_flowtable(trans)->data.flags =
nft_trans_flowtable_flags(trans);
nf_tables_flowtable_notify(&trans->ctx, nf_tables_flowtable_notify(&trans->ctx,
nft_trans_flowtable(trans), nft_trans_flowtable(trans),
&nft_trans_flowtable_hooks(trans), &nft_trans_flowtable_hooks(trans),