leandrof/linux
1
0
Fork 0
forked from Minki/linux
Code Issues Pull Requests Packages Projects Releases Wiki Activity

netfilter: nf_tables: simplify NLM_F_CREATE handling

Browse Source 
* From nf_tables_newchain(), codepath provides context that allows us to
  infer if we are updating a chain (in that case, no module autoload is
  required) or adding a new one (then, module autoload is indeed
  needed).
* We only need it in one single spot in nf_tables_newrule().
* Not needed for nf_tables_newset() at all.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
Pablo Neira Ayuso 2018-08-03 13:35:36 +02:00
parent 94276fa8a2
commit 445509eb9b
1 changed files with 10 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
net/netfilter/nf_tables_api.c
View File

@ -1442,7 +1442,7 @@ struct nft_chain_hook {
static int nft_chain_parse_hook(struct net *net, static int nft_chain_parse_hook(struct net *net,
const struct nlattr * const nla[], const struct nlattr * const nla[],
struct nft_chain_hook *hook, u8 family, struct nft_chain_hook *hook, u8 family,
bool create) bool autoload)
{ {
struct nlattr *ha[NFTA_HOOK_MAX + 1]; struct nlattr *ha[NFTA_HOOK_MAX + 1];
const struct nft_chain_type *type; const struct nft_chain_type *type;
@ -1467,7 +1467,7 @@ static int nft_chain_parse_hook(struct net *net,
type = chain_type[family][NFT_CHAIN_T_DEFAULT]; type = chain_type[family][NFT_CHAIN_T_DEFAULT];
if (nla[NFTA_CHAIN_TYPE]) { if (nla[NFTA_CHAIN_TYPE]) {
type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE], type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE],
family, create); family, autoload);
if (IS_ERR(type)) if (IS_ERR(type))
return PTR_ERR(type); return PTR_ERR(type);
} }
@ -1534,7 +1534,7 @@ static struct nft_rule **nf_tables_chain_alloc_rules(const struct nft_chain *cha
} }
static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask, static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
u8 policy, bool create) u8 policy)
{ {
const struct nlattr * const *nla = ctx->nla; const struct nlattr * const *nla = ctx->nla;
struct nft_table *table = ctx->table; struct nft_table *table = ctx->table;
@ -1552,7 +1552,7 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
struct nft_chain_hook hook; struct nft_chain_hook hook;
struct nf_hook_ops *ops; struct nf_hook_ops *ops;
err = nft_chain_parse_hook(net, nla, &hook, family, create); err = nft_chain_parse_hook(net, nla, &hook, family, true);
if (err < 0) if (err < 0)
return err; return err;
@ -1643,8 +1643,7 @@ err1:
return err; return err;
} }
static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy, static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy)
bool create)
{ {
const struct nlattr * const *nla = ctx->nla; const struct nlattr * const *nla = ctx->nla;
struct nft_table *table = ctx->table; struct nft_table *table = ctx->table;
@ -1661,7 +1660,7 @@ static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
return -EBUSY; return -EBUSY;
err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family, err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family,
create); false);
if (err < 0) if (err < 0)
return err; return err;
@ -1761,9 +1760,6 @@ static int nf_tables_newchain(struct net *net, struct sock *nlsk,
u8 policy = NF_ACCEPT; u8 policy = NF_ACCEPT;
struct nft_ctx ctx; struct nft_ctx ctx;
u64 handle = 0; u64 handle = 0;
bool create;
create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
lockdep_assert_held(&net->nft.commit_mutex); lockdep_assert_held(&net->nft.commit_mutex);
@ -1828,10 +1824,10 @@ static int nf_tables_newchain(struct net *net, struct sock *nlsk,
if (nlh->nlmsg_flags & NLM_F_REPLACE) if (nlh->nlmsg_flags & NLM_F_REPLACE)
return -EOPNOTSUPP; return -EOPNOTSUPP;
return nf_tables_updchain(&ctx, genmask, policy, create); return nf_tables_updchain(&ctx, genmask, policy);
} }
return nf_tables_addchain(&ctx, family, genmask, policy, create); return nf_tables_addchain(&ctx, family, genmask, policy);
} }
static int nf_tables_delchain(struct net *net, struct sock *nlsk, static int nf_tables_delchain(struct net *net, struct sock *nlsk,
@ -2529,13 +2525,10 @@ static int nf_tables_newrule(struct net *net, struct sock *nlsk,
struct nlattr *tmp; struct nlattr *tmp;
unsigned int size, i, n, ulen = 0, usize = 0; unsigned int size, i, n, ulen = 0, usize = 0;
int err, rem; int err, rem;
bool create;
u64 handle, pos_handle; u64 handle, pos_handle;
lockdep_assert_held(&net->nft.commit_mutex); lockdep_assert_held(&net->nft.commit_mutex);
create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask); table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
if (IS_ERR(table)) { if (IS_ERR(table)) {
NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]); NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
@ -2565,7 +2558,8 @@ static int nf_tables_newrule(struct net *net, struct sock *nlsk,
else else
return -EOPNOTSUPP; return -EOPNOTSUPP;
} else { } else {
if (!create || nlh->nlmsg_flags & NLM_F_REPLACE) if (!(nlh->nlmsg_flags & NLM_F_CREATE) ||
nlh->nlmsg_flags & NLM_F_REPLACE)
return -EINVAL; return -EINVAL;
handle = nf_tables_alloc_handle(table); handle = nf_tables_alloc_handle(table);
@ -3361,7 +3355,6 @@ static int nf_tables_newset(struct net *net, struct sock *nlsk,
struct nft_ctx ctx; struct nft_ctx ctx;
char *name; char *name;
unsigned int size; unsigned int size;
bool create;
u64 timeout; u64 timeout;
u32 ktype, dtype, flags, policy, gc_int, objtype; u32 ktype, dtype, flags, policy, gc_int, objtype;
struct nft_set_desc desc; struct nft_set_desc desc;
@ -3462,8 +3455,6 @@ static int nf_tables_newset(struct net *net, struct sock *nlsk,
return err; return err;
} }
create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask); table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask);
if (IS_ERR(table)) { if (IS_ERR(table)) {
NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]); NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);