Commit 7b35582c authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso
Browse files

netfilter: nftables: allow to update flowtable flags 



Honor flowtable flags from the control update path. Disallow disabling
to toggle hardware offload support though.

Fixes: 8bb69f3b ("netfilter: nf_tables: add flowtable offload control plane")
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 7e6136f1

include/net/netfilter/nf_tables.h

+3 −0
Original line number Diff line number Diff line
@@ -1536,6 +1536,7 @@ struct nft_trans_flowtable { 
	struct nft_flowtable		*flowtable;

	bool				update;

	struct list_head		hook_list;

	u32				flags;

};



#define nft_trans_flowtable(trans)	\
@@ -1544,6 +1545,8 @@ struct nft_trans_flowtable { 
	(((struct nft_trans_flowtable *)trans->data)->update)

#define nft_trans_flowtable_hooks(trans)	\

	(((struct nft_trans_flowtable *)trans->data)->hook_list)

#define nft_trans_flowtable_flags(trans)	\

	(((struct nft_trans_flowtable *)trans->data)->flags)



int __init nft_chain_filter_init(void);

void nft_chain_filter_fini(void);

net/netfilter/nf_tables_api.c

+15 −0
Original line number Diff line number Diff line
@@ -6842,6 +6842,7 @@ static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh, 
	struct nft_hook *hook, *next;

	struct nft_trans *trans;

	bool unregister = false;

	u32 flags;

	int err;



	err = nft_flowtable_parse_hook(ctx, nla[NFTA_FLOWTABLE_HOOK],
@@ -6856,6 +6857,17 @@ static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh, 
		}

	}



	if (nla[NFTA_FLOWTABLE_FLAGS]) {

		flags = ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));

		if (flags & ~NFT_FLOWTABLE_MASK)

			return -EOPNOTSUPP;

		if ((flowtable->data.flags & NFT_FLOWTABLE_HW_OFFLOAD) ^

		    (flags & NFT_FLOWTABLE_HW_OFFLOAD))

			return -EOPNOTSUPP;

	} else {

		flags = flowtable->data.flags;

	}



	err = nft_register_flowtable_net_hooks(ctx->net, ctx->table,

					       &flowtable_hook.list, flowtable);

	if (err < 0)
@@ -6869,6 +6881,7 @@ static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh, 
		goto err_flowtable_update_hook;

	}



	nft_trans_flowtable_flags(trans) = flags;

	nft_trans_flowtable(trans) = flowtable;

	nft_trans_flowtable_update(trans) = true;

	INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
@@ -8178,6 +8191,8 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb) 
			break;

		case NFT_MSG_NEWFLOWTABLE:

			if (nft_trans_flowtable_update(trans)) {

				nft_trans_flowtable(trans)->data.flags =

					nft_trans_flowtable_flags(trans);

				nf_tables_flowtable_notify(&trans->ctx,

							   nft_trans_flowtable(trans),

							   &nft_trans_flowtable_hooks(trans),