Commit a8fe4154 authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso
Browse files

netfilter: nf_tables: add function to create set stateful expressions 



Add a helper function to allocate and initialize the stateful expressions
that are defined in a set.

This patch allows to reuse this code from the set update path, to check
that type of the update matches the existing set in the kernel.

Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent bed4a63e

net/netfilter/nf_tables_api.c

+68 −38
Original line number Diff line number Diff line
@@ -4388,6 +4388,59 @@ static int nf_tables_set_desc_parse(struct nft_set_desc *desc, 
	return err;

}



static int nft_set_expr_alloc(struct nft_ctx *ctx, struct nft_set *set,

			      const struct nlattr * const *nla,

			      struct nft_expr **exprs, int *num_exprs,

			      u32 flags)

{

	struct nft_expr *expr;

	int err, i;



	if (nla[NFTA_SET_EXPR]) {

		expr = nft_set_elem_expr_alloc(ctx, set, nla[NFTA_SET_EXPR]);

		if (IS_ERR(expr)) {

			err = PTR_ERR(expr);

			goto err_set_expr_alloc;

		}

		exprs[0] = expr;

		(*num_exprs)++;

	} else if (nla[NFTA_SET_EXPRESSIONS]) {

		struct nlattr *tmp;

		int left;



		if (!(flags & NFT_SET_EXPR)) {

			err = -EINVAL;

			goto err_set_expr_alloc;

		}

		i = 0;

		nla_for_each_nested(tmp, nla[NFTA_SET_EXPRESSIONS], left) {

			if (i == NFT_SET_EXPR_MAX) {

				err = -E2BIG;

				goto err_set_expr_alloc;

			}

			if (nla_type(tmp) != NFTA_LIST_ELEM) {

				err = -EINVAL;

				goto err_set_expr_alloc;

			}

			expr = nft_set_elem_expr_alloc(ctx, set, tmp);

			if (IS_ERR(expr)) {

				err = PTR_ERR(expr);

				goto err_set_expr_alloc;

			}

			exprs[i++] = expr;

			(*num_exprs)++;

		}

	}



	return 0;



err_set_expr_alloc:

	for (i = 0; i < *num_exprs; i++)

		nft_expr_destroy(ctx, exprs[i]);



	return err;

}



static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,

			    const struct nlattr * const nla[])

{
@@ -4395,7 +4448,6 @@ static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info, 
	u8 genmask = nft_genmask_next(info->net);

	u8 family = info->nfmsg->nfgen_family;

	const struct nft_set_ops *ops;

	struct nft_expr *expr = NULL;

	struct net *net = info->net;

	struct nft_set_desc desc;

	struct nft_table *table;
@@ -4403,6 +4455,7 @@ static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info, 
	struct nft_set *set;

	struct nft_ctx ctx;

	size_t alloc_size;

	int num_exprs = 0;

	char *name;

	int err, i;

	u16 udlen;
@@ -4529,6 +4582,8 @@ static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info, 
			return PTR_ERR(set);

		}

	} else {

		struct nft_expr *exprs[NFT_SET_EXPR_MAX] = {};



		if (info->nlh->nlmsg_flags & NLM_F_EXCL) {

			NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);

			return -EEXIST;
@@ -4536,6 +4591,13 @@ static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info, 
		if (info->nlh->nlmsg_flags & NLM_F_REPLACE)

			return -EOPNOTSUPP;



		err = nft_set_expr_alloc(&ctx, set, nla, exprs, &num_exprs, flags);

		if (err < 0)

			return err;



		for (i = 0; i < num_exprs; i++)

			nft_expr_destroy(&ctx, exprs[i]);



		return 0;

	}
@@ -4603,43 +4665,11 @@ static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info, 
	if (err < 0)

		goto err_set_init;



	if (nla[NFTA_SET_EXPR]) {

		expr = nft_set_elem_expr_alloc(&ctx, set, nla[NFTA_SET_EXPR]);

		if (IS_ERR(expr)) {

			err = PTR_ERR(expr);

			goto err_set_expr_alloc;

		}

		set->exprs[0] = expr;

		set->num_exprs++;

	} else if (nla[NFTA_SET_EXPRESSIONS]) {

		struct nft_expr *expr;

		struct nlattr *tmp;

		int left;



		if (!(flags & NFT_SET_EXPR)) {

			err = -EINVAL;

			goto err_set_expr_alloc;

		}

		i = 0;

		nla_for_each_nested(tmp, nla[NFTA_SET_EXPRESSIONS], left) {

			if (i == NFT_SET_EXPR_MAX) {

				err = -E2BIG;

				goto err_set_expr_alloc;

			}

			if (nla_type(tmp) != NFTA_LIST_ELEM) {

				err = -EINVAL;

				goto err_set_expr_alloc;

			}

			expr = nft_set_elem_expr_alloc(&ctx, set, tmp);

			if (IS_ERR(expr)) {

				err = PTR_ERR(expr);

				goto err_set_expr_alloc;

			}

			set->exprs[i++] = expr;

			set->num_exprs++;

		}

	}

	err = nft_set_expr_alloc(&ctx, set, nla, set->exprs, &num_exprs, flags);

	if (err < 0)

		goto err_set_destroy;



	set->num_exprs = num_exprs;

	set->handle = nf_tables_alloc_handle(table);



	err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
@@ -4653,7 +4683,7 @@ static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info, 
err_set_expr_alloc:

	for (i = 0; i < set->num_exprs; i++)

		nft_expr_destroy(&ctx, set->exprs[i]);



err_set_destroy:

	ops->destroy(set);

err_set_init:

	kfree(set->name);