mirror of https://gitee.com/openkylin/linux.git
netfilter: nf_tables: support different set binding types
Currently a set binding is assumed to be related to a lookup and, in case of maps, a data load. In order to use bindings for set updates, the loop detection checks must be restricted to map operations only. Add a flags member to the binding struct to hold the set "action" flags such as NFT_SET_MAP, and perform loop detection based on these. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
parent
3dd0673ac3
commit
11113e190b
|
@ -316,6 +316,7 @@ static inline unsigned long nft_set_gc_interval(const struct nft_set *set)
|
|||
*
|
||||
* @list: set bindings list node
|
||||
* @chain: chain containing the rule bound to the set
|
||||
* @flags: set action flags
|
||||
*
|
||||
* A set binding contains all information necessary for validation
|
||||
* of new elements added to a bound set.
|
||||
|
@ -323,6 +324,7 @@ static inline unsigned long nft_set_gc_interval(const struct nft_set *set)
|
|||
struct nft_set_binding {
|
||||
struct list_head list;
|
||||
const struct nft_chain *chain;
|
||||
u32 flags;
|
||||
};
|
||||
|
||||
int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
|
||||
|
|
|
@ -2811,12 +2811,13 @@ int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
|
|||
if (!list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS)
|
||||
return -EBUSY;
|
||||
|
||||
if (set->flags & NFT_SET_MAP) {
|
||||
if (binding->flags & NFT_SET_MAP) {
|
||||
/* If the set is already bound to the same chain all
|
||||
* jumps are already validated for that chain.
|
||||
*/
|
||||
list_for_each_entry(i, &set->bindings, list) {
|
||||
if (i->chain == binding->chain)
|
||||
if (binding->flags & NFT_SET_MAP &&
|
||||
i->chain == binding->chain)
|
||||
goto bind;
|
||||
}
|
||||
|
||||
|
@ -3312,6 +3313,9 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
|
|||
.chain = (struct nft_chain *)binding->chain,
|
||||
};
|
||||
|
||||
if (!(binding->flags & NFT_SET_MAP))
|
||||
continue;
|
||||
|
||||
err = nft_validate_data_load(&bind_ctx, dreg,
|
||||
&data, d2.type);
|
||||
if (err < 0)
|
||||
|
@ -4063,7 +4067,8 @@ static int nf_tables_check_loops(const struct nft_ctx *ctx,
|
|||
continue;
|
||||
|
||||
list_for_each_entry(binding, &set->bindings, list) {
|
||||
if (binding->chain != chain)
|
||||
if (!(binding->flags & NFT_SET_MAP) ||
|
||||
binding->chain != chain)
|
||||
continue;
|
||||
|
||||
iter.skip = 0;
|
||||
|
|
|
@ -92,6 +92,8 @@ static int nft_lookup_init(const struct nft_ctx *ctx,
|
|||
} else if (set->flags & NFT_SET_MAP)
|
||||
return -EINVAL;
|
||||
|
||||
priv->binding.flags = set->flags & NFT_SET_MAP;
|
||||
|
||||
err = nf_tables_bind_set(ctx, set, &priv->binding);
|
||||
if (err < 0)
|
||||
return err;
|
||||
|
|
Loading…
Reference in New Issue