Unverified Commit 21514d72 authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!2383 nf_table LTS 

Merge Pull Request from: @ci-robot 
 
PR sync from: Lu Wei <luwei32@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/L2G45QT5V2CQGLPTC37WVTGCXUM6X2GS/ 
Florian Westphal (1):
  netfilter: nf_tables: use net_generic infra for transaction data

Lu Wei (7):
  Revert "netfilter: nf_tables: unbind non-anonymous set if rule
    construction fails"
  Revert "netfilter: nf_tables: skip immediate deactivate in
    _PREPARE_ERROR"
  Revert "netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with
    bound set/chain"
  Revert "netfilter: nf_tables: fix chain binding transaction logic"
  Revert "netfilter: nf_tables: incorrect error path handling with
    NFT_MSG_NEWRULE"
  Revert "netfilter: nf_tables: skip bound chain on rule flush"
  Revert "netfilter: nf_tables: disallow rule addition to bound chain
    via NFTA_RULE_CHAIN_ID"

Pablo Neira Ayuso (11):
  netfilter: nf_tables: incorrect error path handling with
    NFT_MSG_NEWRULE
  netfilter: nf_tables: fix chain binding transaction logic
  netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with bound
    set/chain
  netfilter: nf_tables: reject unbound anonymous set before commit phase
  netfilter: nf_tables: reject unbound chain set before commit phase
  netfilter: nftables: rename set element data activation/deactivation
    functions
  netfilter: nf_tables: drop map element references from preparation
    phase
  netfilter: nf_tables: unbind non-anonymous set if rule construction
    fails
  netfilter: nf_tables: skip immediate deactivate in _PREPARE_ERROR
  netfilter: nf_tables: skip bound chain on rule flush
  netfilter: nf_tables: disallow rule addition to bound chain via
    NFTA_RULE_CHAIN_ID


-- 
2.34.1
 
https://gitee.com/openeuler/kernel/issues/I86JB6 
 
Link:https://gitee.com/openeuler/kernel/pulls/2383

 

Reviewed-by: default avatarYue Haibing <yuehaibing@huawei.com>
Signed-off-by: default avatarJialin Zhang <zhangjialin11@huawei.com>
parents 4511bbb6 783c8b11

include/net/netfilter/nf_tables.h

+17 −1
Original line number Diff line number Diff line
@@ -383,7 +383,8 @@ struct nft_set_ops { 
	int				(*init)(const struct nft_set *set,

						const struct nft_set_desc *desc,

						const struct nlattr * const nla[]);

	void				(*destroy)(const struct nft_set *set);

	void				(*destroy)(const struct nft_ctx *ctx,

						   const struct nft_set *set);

	void				(*gc_init)(const struct nft_set *set);



	unsigned int			elemsize;
@@ -687,6 +688,8 @@ void *nft_set_elem_init(const struct nft_set *set, 
			u64 timeout, u64 expiration, gfp_t gfp);

void nft_set_elem_destroy(const struct nft_set *set, void *elem,

			  bool destroy_expr);

void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,

				const struct nft_set *set, void *elem);



/**

 *	struct nft_set_gc_batch_head - nf_tables set garbage collection batch
@@ -1427,6 +1430,7 @@ static inline void nft_set_elem_clear_busy(struct nft_set_ext *ext) 
 *	struct nft_trans - nf_tables object update in transaction

 *

 *	@list: used internally

 *	@binding_list: list of objects with possible bindings

 *	@msg_type: message type

 *	@put_net: ctx->net needs to be put

 *	@ctx: transaction context
@@ -1434,6 +1438,7 @@ static inline void nft_set_elem_clear_busy(struct nft_set_ext *ext) 
 */

struct nft_trans {

	struct list_head		list;

	struct list_head		binding_list;

	int				msg_type;

	bool				put_net;

	struct nft_ctx			ctx;
@@ -1557,4 +1562,15 @@ void nf_tables_trans_destroy_flush_work(void); 
int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result);

__be64 nf_jiffies64_to_msecs(u64 input);



struct nftables_pernet {

	struct list_head	tables;

	struct list_head	commit_list;

	struct list_head	binding_list;

	struct list_head	module_list;

	struct list_head	notify_list;

	struct mutex		commit_mutex;

	unsigned int		base_seq;

	u8			validate_state;

};



#endif /* _NET_NF_TABLES_H */

include/net/netns/nftables.h

+7 −7
Original line number Diff line number Diff line
@@ -6,14 +6,14 @@ 
#include <linux/kabi.h>



struct netns_nftables {

	struct list_head	tables;

	struct list_head	commit_list;

	struct list_head	module_list;

	struct list_head	notify_list;

	struct mutex		commit_mutex;

	unsigned int		base_seq;

	KABI_DEPRECATE(struct list_head, tables)

	KABI_DEPRECATE(struct list_head, commit_list)

	KABI_DEPRECATE(struct list_head, module_list)

	KABI_DEPRECATE(struct list_head, notify_list)

	KABI_DEPRECATE(struct mutex, commit_mutex)

	KABI_DEPRECATE(unsigned int, base_seq)

	u8			gencursor;

	u8			validate_state;

	KABI_DEPRECATE(u8, validate_state)



	KABI_RESERVE(1)

};

net/netfilter/nf_tables_api.c

+369 −165

File changed.

Preview size limit exceeded, changes collapsed.

net/netfilter/nf_tables_offload.c

+19 −11
Original line number Diff line number Diff line
@@ -7,6 +7,8 @@ 
#include <net/netfilter/nf_tables_offload.h>

#include <net/pkt_cls.h>



extern unsigned int nf_tables_net_id;



static struct nft_flow_rule *nft_flow_rule_alloc(int num_actions)

{

	struct nft_flow_rule *flow;
@@ -371,16 +373,18 @@ static void nft_indr_block_cleanup(struct flow_block_cb *block_cb) 
	struct nft_base_chain *basechain = block_cb->indr.data;

	struct net_device *dev = block_cb->indr.dev;

	struct netlink_ext_ack extack = {};

	struct nftables_pernet *nft_net;

	struct net *net = dev_net(dev);

	struct flow_block_offload bo;



	nft_flow_block_offload_init(&bo, dev_net(dev), FLOW_BLOCK_UNBIND,

				    basechain, &extack);

	mutex_lock(&net->nft.commit_mutex);

	nft_net = net_generic(net, nf_tables_net_id);

	mutex_lock(&nft_net->commit_mutex);

	list_del(&block_cb->driver_list);

	list_move(&block_cb->list, &bo.cb_list);

	nft_flow_offload_unbind(&bo, basechain);

	mutex_unlock(&net->nft.commit_mutex);

	mutex_unlock(&nft_net->commit_mutex);

}



static int nft_indr_block_offload_cmd(struct nft_base_chain *basechain,
@@ -476,9 +480,10 @@ static int nft_flow_offload_chain(struct nft_chain *chain, u8 *ppolicy, 
static void nft_flow_rule_offload_abort(struct net *net,

					struct nft_trans *trans)

{

	struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id);

	int err = 0;



	list_for_each_entry_continue_reverse(trans, &net->nft.commit_list, list) {

	list_for_each_entry_continue_reverse(trans, &nft_net->commit_list, list) {

		if (trans->ctx.family != NFPROTO_NETDEV)

			continue;
@@ -524,11 +529,12 @@ static void nft_flow_rule_offload_abort(struct net *net, 


int nft_flow_rule_offload_commit(struct net *net)

{

	struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id);

	struct nft_trans *trans;

	int err = 0;

	u8 policy;



	list_for_each_entry(trans, &net->nft.commit_list, list) {

	list_for_each_entry(trans, &nft_net->commit_list, list) {

		if (trans->ctx.family != NFPROTO_NETDEV)

			continue;
@@ -580,7 +586,7 @@ int nft_flow_rule_offload_commit(struct net *net) 
		}

	}



	list_for_each_entry(trans, &net->nft.commit_list, list) {

	list_for_each_entry(trans, &nft_net->commit_list, list) {

		if (trans->ctx.family != NFPROTO_NETDEV)

			continue;
@@ -600,15 +606,15 @@ int nft_flow_rule_offload_commit(struct net *net) 
	return err;

}



static struct nft_chain *__nft_offload_get_chain(struct net_device *dev)

static struct nft_chain *__nft_offload_get_chain(const struct nftables_pernet *nft_net,

						 struct net_device *dev)

{

	struct nft_base_chain *basechain;

	struct net *net = dev_net(dev);

	struct nft_hook *hook, *found;

	const struct nft_table *table;

	struct nft_chain *chain;



	list_for_each_entry(table, &net->nft.tables, list) {

	list_for_each_entry(table, &nft_net->tables, list) {

		if (table->family != NFPROTO_NETDEV)

			continue;
@@ -640,19 +646,21 @@ static int nft_offload_netdev_event(struct notifier_block *this, 
				    unsigned long event, void *ptr)

{

	struct net_device *dev = netdev_notifier_info_to_dev(ptr);

	struct nftables_pernet *nft_net;

	struct net *net = dev_net(dev);

	struct nft_chain *chain;



	if (event != NETDEV_UNREGISTER)

		return NOTIFY_DONE;



	mutex_lock(&net->nft.commit_mutex);

	chain = __nft_offload_get_chain(dev);

	nft_net = net_generic(net, nf_tables_net_id);

	mutex_lock(&nft_net->commit_mutex);

	chain = __nft_offload_get_chain(nft_net, dev);

	if (chain)

		nft_flow_block_chain(nft_base_chain(chain), dev,

				     FLOW_BLOCK_UNBIND);



	mutex_unlock(&net->nft.commit_mutex);

	mutex_unlock(&nft_net->commit_mutex);



	return NOTIFY_DONE;

}

net/netfilter/nft_chain_filter.c

+8 −3
Original line number Diff line number Diff line
@@ -2,6 +2,7 @@ 
#include <linux/kernel.h>

#include <linux/netdevice.h>

#include <net/net_namespace.h>

#include <net/netns/generic.h>

#include <net/netfilter/nf_tables.h>

#include <linux/netfilter_ipv4.h>

#include <linux/netfilter_ipv6.h>
@@ -10,6 +11,8 @@ 
#include <net/netfilter/nf_tables_ipv4.h>

#include <net/netfilter/nf_tables_ipv6.h>



extern unsigned int nf_tables_net_id;



#ifdef CONFIG_NF_TABLES_IPV4

static unsigned int nft_do_chain_ipv4(void *priv,

				      struct sk_buff *skb,
@@ -355,6 +358,7 @@ static int nf_tables_netdev_event(struct notifier_block *this, 
				  unsigned long event, void *ptr)

{

	struct net_device *dev = netdev_notifier_info_to_dev(ptr);

	struct nftables_pernet *nft_net;

	struct nft_table *table;

	struct nft_chain *chain, *nr;

	struct nft_ctx ctx = {
@@ -365,8 +369,9 @@ static int nf_tables_netdev_event(struct notifier_block *this, 
	    event != NETDEV_CHANGENAME)

		return NOTIFY_DONE;



	mutex_lock(&ctx.net->nft.commit_mutex);

	list_for_each_entry(table, &ctx.net->nft.tables, list) {

	nft_net = net_generic(ctx.net, nf_tables_net_id);

	mutex_lock(&nft_net->commit_mutex);

	list_for_each_entry(table, &nft_net->tables, list) {

		if (table->family != NFPROTO_NETDEV)

			continue;
@@ -380,7 +385,7 @@ static int nf_tables_netdev_event(struct notifier_block *this, 
			nft_netdev_event(event, dev, &ctx);

		}

	}

	mutex_unlock(&ctx.net->nft.commit_mutex);

	mutex_unlock(&nft_net->commit_mutex);



	return NOTIFY_DONE;

}