netfilter: nf_tables: use net_generic infra for transaction data
[ Upstream commit 0854db2aaef3fcdd3498a9d299c60adea2aa3dc6 ] This moves all nf_tables pernet data from struct net to a net_generic extension, with the exception of the gencursor. The latter is used in the data path and also outside of the nf_tables core. All others are only used from the configuration plane. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Florian Westphal
committed by
Greg Kroah-Hartman
Greg Kroah-Hartman
parent
01248dd651
commit
3f51f1157f
@@ -1535,4 +1535,14 @@ void nf_tables_trans_destroy_flush_work(void);
|
|||||||
int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result);
|
int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result);
|
||||||
__be64 nf_jiffies64_to_msecs(u64 input);
|
__be64 nf_jiffies64_to_msecs(u64 input);
|
||||||
|
|
||||||
|
struct nftables_pernet {
|
||||||
|
struct list_head tables;
|
||||||
|
struct list_head commit_list;
|
||||||
|
struct list_head module_list;
|
||||||
|
struct list_head notify_list;
|
||||||
|
struct mutex commit_mutex;
|
||||||
|
unsigned int base_seq;
|
||||||
|
u8 validate_state;
|
||||||
|
};
|
||||||
|
|
||||||
#endif /* _NET_NF_TABLES_H */
|
#endif /* _NET_NF_TABLES_H */
|
||||||
|
|||||||
@@ -5,14 +5,7 @@
|
|||||||
#include <linux/list.h>
|
#include <linux/list.h>
|
||||||
|
|
||||||
struct netns_nftables {
|
struct netns_nftables {
|
||||||
struct list_head tables;
|
|
||||||
struct list_head commit_list;
|
|
||||||
struct list_head module_list;
|
|
||||||
struct list_head notify_list;
|
|
||||||
struct mutex commit_mutex;
|
|
||||||
unsigned int base_seq;
|
|
||||||
u8 gencursor;
|
u8 gencursor;
|
||||||
u8 validate_state;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
|||||||
File diff suppressed because it is too large
Load Diff
@@ -7,6 +7,8 @@
|
|||||||
#include <net/netfilter/nf_tables_offload.h>
|
#include <net/netfilter/nf_tables_offload.h>
|
||||||
#include <net/pkt_cls.h>
|
#include <net/pkt_cls.h>
|
||||||
|
|
||||||
|
extern unsigned int nf_tables_net_id;
|
||||||
|
|
||||||
static struct nft_flow_rule *nft_flow_rule_alloc(int num_actions)
|
static struct nft_flow_rule *nft_flow_rule_alloc(int num_actions)
|
||||||
{
|
{
|
||||||
struct nft_flow_rule *flow;
|
struct nft_flow_rule *flow;
|
||||||
@@ -371,16 +373,18 @@ static void nft_indr_block_cleanup(struct flow_block_cb *block_cb)
|
|||||||
struct nft_base_chain *basechain = block_cb->indr.data;
|
struct nft_base_chain *basechain = block_cb->indr.data;
|
||||||
struct net_device *dev = block_cb->indr.dev;
|
struct net_device *dev = block_cb->indr.dev;
|
||||||
struct netlink_ext_ack extack = {};
|
struct netlink_ext_ack extack = {};
|
||||||
|
struct nftables_pernet *nft_net;
|
||||||
struct net *net = dev_net(dev);
|
struct net *net = dev_net(dev);
|
||||||
struct flow_block_offload bo;
|
struct flow_block_offload bo;
|
||||||
|
|
||||||
nft_flow_block_offload_init(&bo, dev_net(dev), FLOW_BLOCK_UNBIND,
|
nft_flow_block_offload_init(&bo, dev_net(dev), FLOW_BLOCK_UNBIND,
|
||||||
basechain, &extack);
|
basechain, &extack);
|
||||||
mutex_lock(&net->nft.commit_mutex);
|
nft_net = net_generic(net, nf_tables_net_id);
|
||||||
|
mutex_lock(&nft_net->commit_mutex);
|
||||||
list_del(&block_cb->driver_list);
|
list_del(&block_cb->driver_list);
|
||||||
list_move(&block_cb->list, &bo.cb_list);
|
list_move(&block_cb->list, &bo.cb_list);
|
||||||
nft_flow_offload_unbind(&bo, basechain);
|
nft_flow_offload_unbind(&bo, basechain);
|
||||||
mutex_unlock(&net->nft.commit_mutex);
|
mutex_unlock(&nft_net->commit_mutex);
|
||||||
}
|
}
|
||||||
|
|
||||||
static int nft_indr_block_offload_cmd(struct nft_base_chain *basechain,
|
static int nft_indr_block_offload_cmd(struct nft_base_chain *basechain,
|
||||||
@@ -476,9 +480,10 @@ static int nft_flow_offload_chain(struct nft_chain *chain, u8 *ppolicy,
|
|||||||
static void nft_flow_rule_offload_abort(struct net *net,
|
static void nft_flow_rule_offload_abort(struct net *net,
|
||||||
struct nft_trans *trans)
|
struct nft_trans *trans)
|
||||||
{
|
{
|
||||||
|
struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id);
|
||||||
int err = 0;
|
int err = 0;
|
||||||
|
|
||||||
list_for_each_entry_continue_reverse(trans, &net->nft.commit_list, list) {
|
list_for_each_entry_continue_reverse(trans, &nft_net->commit_list, list) {
|
||||||
if (trans->ctx.family != NFPROTO_NETDEV)
|
if (trans->ctx.family != NFPROTO_NETDEV)
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
@@ -524,11 +529,12 @@ static void nft_flow_rule_offload_abort(struct net *net,
|
|||||||
|
|
||||||
int nft_flow_rule_offload_commit(struct net *net)
|
int nft_flow_rule_offload_commit(struct net *net)
|
||||||
{
|
{
|
||||||
|
struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id);
|
||||||
struct nft_trans *trans;
|
struct nft_trans *trans;
|
||||||
int err = 0;
|
int err = 0;
|
||||||
u8 policy;
|
u8 policy;
|
||||||
|
|
||||||
list_for_each_entry(trans, &net->nft.commit_list, list) {
|
list_for_each_entry(trans, &nft_net->commit_list, list) {
|
||||||
if (trans->ctx.family != NFPROTO_NETDEV)
|
if (trans->ctx.family != NFPROTO_NETDEV)
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
@@ -580,7 +586,7 @@ int nft_flow_rule_offload_commit(struct net *net)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
list_for_each_entry(trans, &net->nft.commit_list, list) {
|
list_for_each_entry(trans, &nft_net->commit_list, list) {
|
||||||
if (trans->ctx.family != NFPROTO_NETDEV)
|
if (trans->ctx.family != NFPROTO_NETDEV)
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
@@ -600,15 +606,15 @@ int nft_flow_rule_offload_commit(struct net *net)
|
|||||||
return err;
|
return err;
|
||||||
}
|
}
|
||||||
|
|
||||||
static struct nft_chain *__nft_offload_get_chain(struct net_device *dev)
|
static struct nft_chain *__nft_offload_get_chain(const struct nftables_pernet *nft_net,
|
||||||
|
struct net_device *dev)
|
||||||
{
|
{
|
||||||
struct nft_base_chain *basechain;
|
struct nft_base_chain *basechain;
|
||||||
struct net *net = dev_net(dev);
|
|
||||||
struct nft_hook *hook, *found;
|
struct nft_hook *hook, *found;
|
||||||
const struct nft_table *table;
|
const struct nft_table *table;
|
||||||
struct nft_chain *chain;
|
struct nft_chain *chain;
|
||||||
|
|
||||||
list_for_each_entry(table, &net->nft.tables, list) {
|
list_for_each_entry(table, &nft_net->tables, list) {
|
||||||
if (table->family != NFPROTO_NETDEV)
|
if (table->family != NFPROTO_NETDEV)
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
@@ -640,19 +646,21 @@ static int nft_offload_netdev_event(struct notifier_block *this,
|
|||||||
unsigned long event, void *ptr)
|
unsigned long event, void *ptr)
|
||||||
{
|
{
|
||||||
struct net_device *dev = netdev_notifier_info_to_dev(ptr);
|
struct net_device *dev = netdev_notifier_info_to_dev(ptr);
|
||||||
|
struct nftables_pernet *nft_net;
|
||||||
struct net *net = dev_net(dev);
|
struct net *net = dev_net(dev);
|
||||||
struct nft_chain *chain;
|
struct nft_chain *chain;
|
||||||
|
|
||||||
if (event != NETDEV_UNREGISTER)
|
if (event != NETDEV_UNREGISTER)
|
||||||
return NOTIFY_DONE;
|
return NOTIFY_DONE;
|
||||||
|
|
||||||
mutex_lock(&net->nft.commit_mutex);
|
nft_net = net_generic(net, nf_tables_net_id);
|
||||||
chain = __nft_offload_get_chain(dev);
|
mutex_lock(&nft_net->commit_mutex);
|
||||||
|
chain = __nft_offload_get_chain(nft_net, dev);
|
||||||
if (chain)
|
if (chain)
|
||||||
nft_flow_block_chain(nft_base_chain(chain), dev,
|
nft_flow_block_chain(nft_base_chain(chain), dev,
|
||||||
FLOW_BLOCK_UNBIND);
|
FLOW_BLOCK_UNBIND);
|
||||||
|
|
||||||
mutex_unlock(&net->nft.commit_mutex);
|
mutex_unlock(&nft_net->commit_mutex);
|
||||||
|
|
||||||
return NOTIFY_DONE;
|
return NOTIFY_DONE;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -2,6 +2,7 @@
|
|||||||
#include <linux/kernel.h>
|
#include <linux/kernel.h>
|
||||||
#include <linux/netdevice.h>
|
#include <linux/netdevice.h>
|
||||||
#include <net/net_namespace.h>
|
#include <net/net_namespace.h>
|
||||||
|
#include <net/netns/generic.h>
|
||||||
#include <net/netfilter/nf_tables.h>
|
#include <net/netfilter/nf_tables.h>
|
||||||
#include <linux/netfilter_ipv4.h>
|
#include <linux/netfilter_ipv4.h>
|
||||||
#include <linux/netfilter_ipv6.h>
|
#include <linux/netfilter_ipv6.h>
|
||||||
@@ -10,6 +11,8 @@
|
|||||||
#include <net/netfilter/nf_tables_ipv4.h>
|
#include <net/netfilter/nf_tables_ipv4.h>
|
||||||
#include <net/netfilter/nf_tables_ipv6.h>
|
#include <net/netfilter/nf_tables_ipv6.h>
|
||||||
|
|
||||||
|
extern unsigned int nf_tables_net_id;
|
||||||
|
|
||||||
#ifdef CONFIG_NF_TABLES_IPV4
|
#ifdef CONFIG_NF_TABLES_IPV4
|
||||||
static unsigned int nft_do_chain_ipv4(void *priv,
|
static unsigned int nft_do_chain_ipv4(void *priv,
|
||||||
struct sk_buff *skb,
|
struct sk_buff *skb,
|
||||||
@@ -355,6 +358,7 @@ static int nf_tables_netdev_event(struct notifier_block *this,
|
|||||||
unsigned long event, void *ptr)
|
unsigned long event, void *ptr)
|
||||||
{
|
{
|
||||||
struct net_device *dev = netdev_notifier_info_to_dev(ptr);
|
struct net_device *dev = netdev_notifier_info_to_dev(ptr);
|
||||||
|
struct nftables_pernet *nft_net;
|
||||||
struct nft_table *table;
|
struct nft_table *table;
|
||||||
struct nft_chain *chain, *nr;
|
struct nft_chain *chain, *nr;
|
||||||
struct nft_ctx ctx = {
|
struct nft_ctx ctx = {
|
||||||
@@ -365,8 +369,9 @@ static int nf_tables_netdev_event(struct notifier_block *this,
|
|||||||
event != NETDEV_CHANGENAME)
|
event != NETDEV_CHANGENAME)
|
||||||
return NOTIFY_DONE;
|
return NOTIFY_DONE;
|
||||||
|
|
||||||
mutex_lock(&ctx.net->nft.commit_mutex);
|
nft_net = net_generic(ctx.net, nf_tables_net_id);
|
||||||
list_for_each_entry(table, &ctx.net->nft.tables, list) {
|
mutex_lock(&nft_net->commit_mutex);
|
||||||
|
list_for_each_entry(table, &nft_net->tables, list) {
|
||||||
if (table->family != NFPROTO_NETDEV)
|
if (table->family != NFPROTO_NETDEV)
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
@@ -380,7 +385,7 @@ static int nf_tables_netdev_event(struct notifier_block *this,
|
|||||||
nft_netdev_event(event, dev, &ctx);
|
nft_netdev_event(event, dev, &ctx);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
mutex_unlock(&ctx.net->nft.commit_mutex);
|
mutex_unlock(&nft_net->commit_mutex);
|
||||||
|
|
||||||
return NOTIFY_DONE;
|
return NOTIFY_DONE;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -11,6 +11,9 @@
|
|||||||
#include <linux/netfilter/nf_tables.h>
|
#include <linux/netfilter/nf_tables.h>
|
||||||
#include <net/netfilter/nf_tables.h>
|
#include <net/netfilter/nf_tables.h>
|
||||||
#include <net/netfilter/nf_tables_core.h>
|
#include <net/netfilter/nf_tables_core.h>
|
||||||
|
#include <net/netns/generic.h>
|
||||||
|
|
||||||
|
extern unsigned int nf_tables_net_id;
|
||||||
|
|
||||||
struct nft_dynset {
|
struct nft_dynset {
|
||||||
struct nft_set *set;
|
struct nft_set *set;
|
||||||
@@ -106,13 +109,14 @@ static int nft_dynset_init(const struct nft_ctx *ctx,
|
|||||||
const struct nft_expr *expr,
|
const struct nft_expr *expr,
|
||||||
const struct nlattr * const tb[])
|
const struct nlattr * const tb[])
|
||||||
{
|
{
|
||||||
|
struct nftables_pernet *nft_net = net_generic(ctx->net, nf_tables_net_id);
|
||||||
struct nft_dynset *priv = nft_expr_priv(expr);
|
struct nft_dynset *priv = nft_expr_priv(expr);
|
||||||
u8 genmask = nft_genmask_next(ctx->net);
|
u8 genmask = nft_genmask_next(ctx->net);
|
||||||
struct nft_set *set;
|
struct nft_set *set;
|
||||||
u64 timeout;
|
u64 timeout;
|
||||||
int err;
|
int err;
|
||||||
|
|
||||||
lockdep_assert_held(&ctx->net->nft.commit_mutex);
|
lockdep_assert_held(&nft_net->commit_mutex);
|
||||||
|
|
||||||
if (tb[NFTA_DYNSET_SET_NAME] == NULL ||
|
if (tb[NFTA_DYNSET_SET_NAME] == NULL ||
|
||||||
tb[NFTA_DYNSET_OP] == NULL ||
|
tb[NFTA_DYNSET_OP] == NULL ||
|
||||||
|
|||||||
Reference in New Issue
Block a user