591054469b
Andreas reports that the following incremental update using our commit
protocol doesn't work.
# nft -f incremental-update.nft
delete element ip filter client_to_any { 10.180.86.22 : goto CIn_1 }
delete chain ip filter CIn_1
... Error: Could not process rule: Device or resource busy
The existing code is not well-integrated into the commit phase protocol,
since element deletions do not result in refcount decrement from the
preparation phase. This results in bogus EBUSY errors like the one
above.
Two new functions come with this patch:
* nft_set_elem_activate() function is used from the abort path, to
restore the set element refcounting on objects that occurred from
the preparation phase.
* nft_set_elem_deactivate() that is called from nft_del_setelem() to
decrement set element refcounting on objects from the preparation
phase in the commit protocol.
The nft_data_uninit() has been renamed to nft_data_release() since this
function does not uninitialize any data store in the data register,
instead just releases the references to objects. Moreover, a new
function nft_data_hold() has been introduced to be used from
nft_set_elem_activate().
Reported-by: Andreas Schultz <aschultz@tpip.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
225 lines
5.1 KiB
C
225 lines
5.1 KiB
C
/*
|
|
* Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net>
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License version 2 as
|
|
* published by the Free Software Foundation.
|
|
*
|
|
* Development of this code funded by Astaro AG (http://www.astaro.com/)
|
|
*/
|
|
|
|
#include <linux/kernel.h>
|
|
#include <linux/init.h>
|
|
#include <linux/module.h>
|
|
#include <linux/netlink.h>
|
|
#include <linux/netfilter.h>
|
|
#include <linux/netfilter/nf_tables.h>
|
|
#include <net/netfilter/nf_tables_core.h>
|
|
#include <net/netfilter/nf_tables.h>
|
|
|
|
struct nft_cmp_expr {
|
|
struct nft_data data;
|
|
enum nft_registers sreg:8;
|
|
u8 len;
|
|
enum nft_cmp_ops op:8;
|
|
};
|
|
|
|
static void nft_cmp_eval(const struct nft_expr *expr,
|
|
struct nft_regs *regs,
|
|
const struct nft_pktinfo *pkt)
|
|
{
|
|
const struct nft_cmp_expr *priv = nft_expr_priv(expr);
|
|
int d;
|
|
|
|
d = memcmp(®s->data[priv->sreg], &priv->data, priv->len);
|
|
switch (priv->op) {
|
|
case NFT_CMP_EQ:
|
|
if (d != 0)
|
|
goto mismatch;
|
|
break;
|
|
case NFT_CMP_NEQ:
|
|
if (d == 0)
|
|
goto mismatch;
|
|
break;
|
|
case NFT_CMP_LT:
|
|
if (d == 0)
|
|
goto mismatch;
|
|
case NFT_CMP_LTE:
|
|
if (d > 0)
|
|
goto mismatch;
|
|
break;
|
|
case NFT_CMP_GT:
|
|
if (d == 0)
|
|
goto mismatch;
|
|
case NFT_CMP_GTE:
|
|
if (d < 0)
|
|
goto mismatch;
|
|
break;
|
|
}
|
|
return;
|
|
|
|
mismatch:
|
|
regs->verdict.code = NFT_BREAK;
|
|
}
|
|
|
|
static const struct nla_policy nft_cmp_policy[NFTA_CMP_MAX + 1] = {
|
|
[NFTA_CMP_SREG] = { .type = NLA_U32 },
|
|
[NFTA_CMP_OP] = { .type = NLA_U32 },
|
|
[NFTA_CMP_DATA] = { .type = NLA_NESTED },
|
|
};
|
|
|
|
static int nft_cmp_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
|
|
const struct nlattr * const tb[])
|
|
{
|
|
struct nft_cmp_expr *priv = nft_expr_priv(expr);
|
|
struct nft_data_desc desc;
|
|
int err;
|
|
|
|
err = nft_data_init(NULL, &priv->data, sizeof(priv->data), &desc,
|
|
tb[NFTA_CMP_DATA]);
|
|
BUG_ON(err < 0);
|
|
|
|
priv->sreg = nft_parse_register(tb[NFTA_CMP_SREG]);
|
|
err = nft_validate_register_load(priv->sreg, desc.len);
|
|
if (err < 0)
|
|
return err;
|
|
|
|
priv->op = ntohl(nla_get_be32(tb[NFTA_CMP_OP]));
|
|
priv->len = desc.len;
|
|
return 0;
|
|
}
|
|
|
|
static int nft_cmp_dump(struct sk_buff *skb, const struct nft_expr *expr)
|
|
{
|
|
const struct nft_cmp_expr *priv = nft_expr_priv(expr);
|
|
|
|
if (nft_dump_register(skb, NFTA_CMP_SREG, priv->sreg))
|
|
goto nla_put_failure;
|
|
if (nla_put_be32(skb, NFTA_CMP_OP, htonl(priv->op)))
|
|
goto nla_put_failure;
|
|
|
|
if (nft_data_dump(skb, NFTA_CMP_DATA, &priv->data,
|
|
NFT_DATA_VALUE, priv->len) < 0)
|
|
goto nla_put_failure;
|
|
return 0;
|
|
|
|
nla_put_failure:
|
|
return -1;
|
|
}
|
|
|
|
static const struct nft_expr_ops nft_cmp_ops = {
|
|
.type = &nft_cmp_type,
|
|
.size = NFT_EXPR_SIZE(sizeof(struct nft_cmp_expr)),
|
|
.eval = nft_cmp_eval,
|
|
.init = nft_cmp_init,
|
|
.dump = nft_cmp_dump,
|
|
};
|
|
|
|
static int nft_cmp_fast_init(const struct nft_ctx *ctx,
|
|
const struct nft_expr *expr,
|
|
const struct nlattr * const tb[])
|
|
{
|
|
struct nft_cmp_fast_expr *priv = nft_expr_priv(expr);
|
|
struct nft_data_desc desc;
|
|
struct nft_data data;
|
|
u32 mask;
|
|
int err;
|
|
|
|
err = nft_data_init(NULL, &data, sizeof(data), &desc,
|
|
tb[NFTA_CMP_DATA]);
|
|
BUG_ON(err < 0);
|
|
|
|
priv->sreg = nft_parse_register(tb[NFTA_CMP_SREG]);
|
|
err = nft_validate_register_load(priv->sreg, desc.len);
|
|
if (err < 0)
|
|
return err;
|
|
|
|
desc.len *= BITS_PER_BYTE;
|
|
mask = nft_cmp_fast_mask(desc.len);
|
|
|
|
priv->data = data.data[0] & mask;
|
|
priv->len = desc.len;
|
|
return 0;
|
|
}
|
|
|
|
static int nft_cmp_fast_dump(struct sk_buff *skb, const struct nft_expr *expr)
|
|
{
|
|
const struct nft_cmp_fast_expr *priv = nft_expr_priv(expr);
|
|
struct nft_data data;
|
|
|
|
if (nft_dump_register(skb, NFTA_CMP_SREG, priv->sreg))
|
|
goto nla_put_failure;
|
|
if (nla_put_be32(skb, NFTA_CMP_OP, htonl(NFT_CMP_EQ)))
|
|
goto nla_put_failure;
|
|
|
|
data.data[0] = priv->data;
|
|
if (nft_data_dump(skb, NFTA_CMP_DATA, &data,
|
|
NFT_DATA_VALUE, priv->len / BITS_PER_BYTE) < 0)
|
|
goto nla_put_failure;
|
|
return 0;
|
|
|
|
nla_put_failure:
|
|
return -1;
|
|
}
|
|
|
|
const struct nft_expr_ops nft_cmp_fast_ops = {
|
|
.type = &nft_cmp_type,
|
|
.size = NFT_EXPR_SIZE(sizeof(struct nft_cmp_fast_expr)),
|
|
.eval = NULL, /* inlined */
|
|
.init = nft_cmp_fast_init,
|
|
.dump = nft_cmp_fast_dump,
|
|
};
|
|
|
|
static const struct nft_expr_ops *
|
|
nft_cmp_select_ops(const struct nft_ctx *ctx, const struct nlattr * const tb[])
|
|
{
|
|
struct nft_data_desc desc;
|
|
struct nft_data data;
|
|
enum nft_cmp_ops op;
|
|
int err;
|
|
|
|
if (tb[NFTA_CMP_SREG] == NULL ||
|
|
tb[NFTA_CMP_OP] == NULL ||
|
|
tb[NFTA_CMP_DATA] == NULL)
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
op = ntohl(nla_get_be32(tb[NFTA_CMP_OP]));
|
|
switch (op) {
|
|
case NFT_CMP_EQ:
|
|
case NFT_CMP_NEQ:
|
|
case NFT_CMP_LT:
|
|
case NFT_CMP_LTE:
|
|
case NFT_CMP_GT:
|
|
case NFT_CMP_GTE:
|
|
break;
|
|
default:
|
|
return ERR_PTR(-EINVAL);
|
|
}
|
|
|
|
err = nft_data_init(NULL, &data, sizeof(data), &desc,
|
|
tb[NFTA_CMP_DATA]);
|
|
if (err < 0)
|
|
return ERR_PTR(err);
|
|
|
|
if (desc.type != NFT_DATA_VALUE) {
|
|
err = -EINVAL;
|
|
goto err1;
|
|
}
|
|
|
|
if (desc.len <= sizeof(u32) && op == NFT_CMP_EQ)
|
|
return &nft_cmp_fast_ops;
|
|
|
|
return &nft_cmp_ops;
|
|
err1:
|
|
nft_data_release(&data, desc.type);
|
|
return ERR_PTR(-EINVAL);
|
|
}
|
|
|
|
struct nft_expr_type nft_cmp_type __read_mostly = {
|
|
.name = "cmp",
|
|
.select_ops = nft_cmp_select_ops,
|
|
.policy = nft_cmp_policy,
|
|
.maxattr = NFTA_CMP_MAX,
|
|
.owner = THIS_MODULE,
|
|
};
|