Commit f3737edb authored by Jakub Kicinski's avatar Jakub Kicinski
Browse files

Merge branch 'fib-rules-convert-rtm_newrule-and-rtm_delrule-to-per-netns-rtnl' 

Kuniyuki Iwashima says:

====================
fib: rules: Convert RTM_NEWRULE and RTM_DELRULE to per-netns RTNL.

Patch 1 ~ 2 are small cleanup, and patch 3 ~ 8 make fib_nl_newrule()
and fib_nl_delrule() hold per-netns RTNL.

v1: https://lore.kernel.org/20250206084629.16602-1-kuniyu@amazon.com
====================

Link: https://patch.msgid.link/20250207072502.87775-1-kuniyu@amazon.com


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parents 51b2483b 88b9cfca

drivers/net/vrf.c

+2 −4
Original line number Diff line number Diff line
@@ -1537,14 +1537,12 @@ static int vrf_fib_rule(const struct net_device *dev, __u8 family, bool add_it) 


	nlmsg_end(skb, nlh);



	/* fib_nl_{new,del}rule handling looks for net from skb->sk */

	skb->sk = dev_net(dev)->rtnl;

	if (add_it) {

		err = fib_nl_newrule(skb, nlh, NULL);

		err = fib_newrule(dev_net(dev), skb, nlh, NULL, true);

		if (err == -EEXIST)

			err = 0;

	} else {

		err = fib_nl_delrule(skb, nlh, NULL);

		err = fib_delrule(dev_net(dev), skb, nlh, NULL, true);

		if (err == -ENOENT)

			err = 0;

	}

include/net/fib_rules.h

+4 −4
Original line number Diff line number Diff line
@@ -178,10 +178,10 @@ int fib_rules_dump(struct net *net, struct notifier_block *nb, int family, 
		   struct netlink_ext_ack *extack);

unsigned int fib_rules_seq_read(const struct net *net, int family);



int fib_nl_newrule(struct sk_buff *skb, struct nlmsghdr *nlh,

		   struct netlink_ext_ack *extack);

int fib_nl_delrule(struct sk_buff *skb, struct nlmsghdr *nlh,

		   struct netlink_ext_ack *extack);

int fib_newrule(struct net *net, struct sk_buff *skb, struct nlmsghdr *nlh,

		struct netlink_ext_ack *extack, bool rtnl_held);

int fib_delrule(struct net *net, struct sk_buff *skb, struct nlmsghdr *nlh,

		struct netlink_ext_ack *extack, bool rtnl_held);



INDIRECT_CALLABLE_DECLARE(int fib6_rule_match(struct fib_rule *rule,

					    struct flowi *fl, int flags));

net/core/fib_rules.c

+100 −51
Original line number Diff line number Diff line
@@ -371,7 +371,8 @@ static int call_fib_rule_notifiers(struct net *net, 
		.rule = rule,

	};



	ASSERT_RTNL();

	ASSERT_RTNL_NET(net);



	/* Paired with READ_ONCE() in fib_rules_seq() */

	WRITE_ONCE(ops->fib_rules_seq, ops->fib_rules_seq + 1);

	return call_fib_notifiers(net, event_type, &info.info);
@@ -459,9 +460,6 @@ static struct fib_rule *rule_find(struct fib_rules_ops *ops, 
		if (rule->tun_id && r->tun_id != rule->tun_id)

			continue;



		if (r->fr_net != rule->fr_net)

			continue;



		if (rule->l3mdev && r->l3mdev != rule->l3mdev)

			continue;
@@ -515,14 +513,13 @@ static int fib_nl2rule_l3mdev(struct nlattr *nla, struct fib_rule *nlrule, 
}

#endif



static int fib_nl2rule(struct sk_buff *skb, struct nlmsghdr *nlh,

static int fib_nl2rule(struct net *net, struct nlmsghdr *nlh,

		       struct netlink_ext_ack *extack,

		       struct fib_rules_ops *ops,

		       struct nlattr *tb[],

		       struct fib_rule **rule,

		       bool *user_priority)

{

	struct net *net = sock_net(skb->sk);

	struct fib_rule_hdr *frh = nlmsg_data(nlh);

	struct fib_rule *nlrule = NULL;

	int err = -EINVAL;
@@ -554,30 +551,18 @@ static int fib_nl2rule(struct sk_buff *skb, struct nlmsghdr *nlh, 
	if (tb[FRA_PRIORITY]) {

		nlrule->pref = nla_get_u32(tb[FRA_PRIORITY]);

		*user_priority = true;

	} else {

		nlrule->pref = fib_default_rule_pref(ops);

	}



	nlrule->proto = nla_get_u8_default(tb[FRA_PROTOCOL], RTPROT_UNSPEC);



	if (tb[FRA_IIFNAME]) {

		struct net_device *dev;



		nlrule->iifindex = -1;

		nla_strscpy(nlrule->iifname, tb[FRA_IIFNAME], IFNAMSIZ);

		dev = __dev_get_by_name(net, nlrule->iifname);

		if (dev)

			nlrule->iifindex = dev->ifindex;

	}



	if (tb[FRA_OIFNAME]) {

		struct net_device *dev;



		nlrule->oifindex = -1;

		nla_strscpy(nlrule->oifname, tb[FRA_OIFNAME], IFNAMSIZ);

		dev = __dev_get_by_name(net, nlrule->oifname);

		if (dev)

			nlrule->oifindex = dev->ifindex;

	}



	if (tb[FRA_FWMARK]) {
@@ -619,11 +604,6 @@ static int fib_nl2rule(struct sk_buff *skb, struct nlmsghdr *nlh, 
		}



		nlrule->target = nla_get_u32(tb[FRA_GOTO]);

		/* Backward jumps are prohibited to avoid endless loops */

		if (nlrule->target <= nlrule->pref) {

			NL_SET_ERR_MSG(extack, "Backward goto not supported");

			goto errout_free;

		}

	} else if (nlrule->action == FR_ACT_GOTO) {

		NL_SET_ERR_MSG(extack, "Missing goto target for action goto");

		goto errout_free;
@@ -683,6 +663,39 @@ static int fib_nl2rule(struct sk_buff *skb, struct nlmsghdr *nlh, 
	return err;

}



static int fib_nl2rule_rtnl(struct fib_rule *nlrule,

			    struct fib_rules_ops *ops,

			    struct nlattr *tb[],

			    struct netlink_ext_ack *extack)

{

	if (!tb[FRA_PRIORITY])

		nlrule->pref = fib_default_rule_pref(ops);



	/* Backward jumps are prohibited to avoid endless loops */

	if (tb[FRA_GOTO] && nlrule->target <= nlrule->pref) {

		NL_SET_ERR_MSG(extack, "Backward goto not supported");

		return -EINVAL;

	}



	if (tb[FRA_IIFNAME]) {

		struct net_device *dev;



		dev = __dev_get_by_name(nlrule->fr_net, nlrule->iifname);

		if (dev)

			nlrule->iifindex = dev->ifindex;

	}



	if (tb[FRA_OIFNAME]) {

		struct net_device *dev;



		dev = __dev_get_by_name(nlrule->fr_net, nlrule->oifname);

		if (dev)

			nlrule->oifindex = dev->ifindex;

	}



	return 0;

}



static int rule_exists(struct fib_rules_ops *ops, struct fib_rule_hdr *frh,

		       struct nlattr **tb, struct fib_rule *rule)

{
@@ -719,9 +732,6 @@ static int rule_exists(struct fib_rules_ops *ops, struct fib_rule_hdr *frh, 
		if (r->tun_id != rule->tun_id)

			continue;



		if (r->fr_net != rule->fr_net)

			continue;



		if (r->l3mdev != rule->l3mdev)

			continue;
@@ -774,15 +784,14 @@ static const struct nla_policy fib_rule_policy[FRA_MAX + 1] = { 
	[FRA_FLOWLABEL_MASK] = { .type = NLA_BE32 },

};



int fib_nl_newrule(struct sk_buff *skb, struct nlmsghdr *nlh,

		   struct netlink_ext_ack *extack)

int fib_newrule(struct net *net, struct sk_buff *skb, struct nlmsghdr *nlh,

		struct netlink_ext_ack *extack, bool rtnl_held)

{

	struct net *net = sock_net(skb->sk);

	struct fib_rule *rule = NULL, *r, *last = NULL;

	struct fib_rule_hdr *frh = nlmsg_data(nlh);

	int err = -EINVAL, unresolved = 0;

	struct fib_rules_ops *ops = NULL;

	struct fib_rule *rule = NULL, *r, *last = NULL;

	struct nlattr *tb[FRA_MAX + 1];

	int err = -EINVAL, unresolved = 0;

	bool user_priority = false;



	if (nlh->nlmsg_len < nlmsg_msg_size(sizeof(*frh))) {
@@ -804,10 +813,17 @@ int fib_nl_newrule(struct sk_buff *skb, struct nlmsghdr *nlh, 
		goto errout;

	}



	err = fib_nl2rule(skb, nlh, extack, ops, tb, &rule, &user_priority);

	err = fib_nl2rule(net, nlh, extack, ops, tb, &rule, &user_priority);

	if (err)

		goto errout;



	if (!rtnl_held)

		rtnl_net_lock(net);



	err = fib_nl2rule_rtnl(rule, ops, tb, extack);

	if (err)

		goto errout_free;



	if ((nlh->nlmsg_flags & NLM_F_EXCL) &&

	    rule_exists(ops, frh, tb, rule)) {

		err = -EEXIST;
@@ -869,29 +885,42 @@ int fib_nl_newrule(struct sk_buff *skb, struct nlmsghdr *nlh, 
	if (rule->tun_id)

		ip_tunnel_need_metadata();



	fib_rule_get(rule);



	if (!rtnl_held)

		rtnl_net_unlock(net);



	notify_rule_change(RTM_NEWRULE, rule, ops, nlh, NETLINK_CB(skb).portid);

	fib_rule_put(rule);

	flush_route_cache(ops);

	rules_ops_put(ops);

	return 0;



errout_free:

	if (!rtnl_held)

		rtnl_net_unlock(net);

	kfree(rule);

errout:

	rules_ops_put(ops);

	return err;

}

EXPORT_SYMBOL_GPL(fib_nl_newrule);

EXPORT_SYMBOL_GPL(fib_newrule);



int fib_nl_delrule(struct sk_buff *skb, struct nlmsghdr *nlh,

static int fib_nl_newrule(struct sk_buff *skb, struct nlmsghdr *nlh,

			  struct netlink_ext_ack *extack)

{

	struct net *net = sock_net(skb->sk);

	return fib_newrule(sock_net(skb->sk), skb, nlh, extack, false);

}



int fib_delrule(struct net *net, struct sk_buff *skb, struct nlmsghdr *nlh,

		struct netlink_ext_ack *extack, bool rtnl_held)

{

	struct fib_rule *rule = NULL, *nlrule = NULL;

	struct fib_rule_hdr *frh = nlmsg_data(nlh);

	struct fib_rules_ops *ops = NULL;

	struct fib_rule *rule = NULL, *r, *nlrule = NULL;

	struct nlattr *tb[FRA_MAX+1];

	int err = -EINVAL;

	bool user_priority = false;

	int err = -EINVAL;



	if (nlh->nlmsg_len < nlmsg_msg_size(sizeof(*frh))) {

		NL_SET_ERR_MSG(extack, "Invalid msg length");
@@ -912,25 +941,32 @@ int fib_nl_delrule(struct sk_buff *skb, struct nlmsghdr *nlh, 
		goto errout;

	}



	err = fib_nl2rule(skb, nlh, extack, ops, tb, &nlrule, &user_priority);

	err = fib_nl2rule(net, nlh, extack, ops, tb, &nlrule, &user_priority);

	if (err)

		goto errout;



	if (!rtnl_held)

		rtnl_net_lock(net);



	err = fib_nl2rule_rtnl(nlrule, ops, tb, extack);

	if (err)

		goto errout_free;



	rule = rule_find(ops, frh, tb, nlrule, user_priority);

	if (!rule) {

		err = -ENOENT;

		goto errout;

		goto errout_free;

	}



	if (rule->flags & FIB_RULE_PERMANENT) {

		err = -EPERM;

		goto errout;

		goto errout_free;

	}



	if (ops->delete) {

		err = ops->delete(rule);

		if (err)

			goto errout;

			goto errout_free;

	}



	if (rule->tun_id)
@@ -952,7 +988,7 @@ int fib_nl_delrule(struct sk_buff *skb, struct nlmsghdr *nlh, 
	 * current if it is goto rule, have actually been added.

	 */

	if (ops->nr_goto_rules > 0) {

		struct fib_rule *n;

		struct fib_rule *n, *r;



		n = list_next_entry(rule, list);

		if (&n->list == &ops->rules_list || n->pref != rule->pref)
@@ -966,22 +1002,33 @@ int fib_nl_delrule(struct sk_buff *skb, struct nlmsghdr *nlh, 
		}

	}



	call_fib_rule_notifiers(net, FIB_EVENT_RULE_DEL, rule, ops,

				NULL);

	notify_rule_change(RTM_DELRULE, rule, ops, nlh,

			   NETLINK_CB(skb).portid);

	call_fib_rule_notifiers(net, FIB_EVENT_RULE_DEL, rule, ops, NULL);



	if (!rtnl_held)

		rtnl_net_unlock(net);



	notify_rule_change(RTM_DELRULE, rule, ops, nlh, NETLINK_CB(skb).portid);

	fib_rule_put(rule);

	flush_route_cache(ops);

	rules_ops_put(ops);

	kfree(nlrule);

	return 0;



errout:

errout_free:

	if (!rtnl_held)

		rtnl_net_unlock(net);

	kfree(nlrule);

errout:

	rules_ops_put(ops);

	return err;

}

EXPORT_SYMBOL_GPL(fib_nl_delrule);

EXPORT_SYMBOL_GPL(fib_delrule);



static int fib_nl_delrule(struct sk_buff *skb, struct nlmsghdr *nlh,

			  struct netlink_ext_ack *extack)

{

	return fib_delrule(sock_net(skb->sk), skb, nlh, extack, false);

}



static inline size_t fib_rule_nlmsg_size(struct fib_rules_ops *ops,

					 struct fib_rule *rule)
@@ -1293,8 +1340,10 @@ static struct pernet_operations fib_rules_net_ops = { 
};



static const struct rtnl_msg_handler fib_rules_rtnl_msg_handlers[] __initconst = {

	{.msgtype = RTM_NEWRULE, .doit = fib_nl_newrule},

	{.msgtype = RTM_DELRULE, .doit = fib_nl_delrule},

	{.msgtype = RTM_NEWRULE, .doit = fib_nl_newrule,

	 .flags = RTNL_FLAG_DOIT_PERNET},

	{.msgtype = RTM_DELRULE, .doit = fib_nl_delrule,

	 .flags = RTNL_FLAG_DOIT_PERNET},

	{.msgtype = RTM_GETRULE, .dumpit = fib_nl_dumprule,

	 .flags = RTNL_FLAG_DUMP_UNLOCKED},

};

net/ipv4/fib_rules.c

+2 −2
Original line number Diff line number Diff line
@@ -245,9 +245,9 @@ static int fib4_rule_configure(struct fib_rule *rule, struct sk_buff *skb, 
			       struct nlattr **tb,

			       struct netlink_ext_ack *extack)

{

	struct net *net = sock_net(skb->sk);

	int err = -EINVAL;

	struct fib4_rule *rule4 = (struct fib4_rule *)rule;

	struct net *net = rule->fr_net;

	int err = -EINVAL;



	if (tb[FRA_FLOWLABEL] || tb[FRA_FLOWLABEL_MASK]) {

		NL_SET_ERR_MSG(extack,

net/ipv6/fib6_rules.c

+2 −2
Original line number Diff line number Diff line
@@ -399,9 +399,9 @@ static int fib6_rule_configure(struct fib_rule *rule, struct sk_buff *skb, 
			       struct nlattr **tb,

			       struct netlink_ext_ack *extack)

{

	int err = -EINVAL;

	struct net *net = sock_net(skb->sk);

	struct fib6_rule *rule6 = (struct fib6_rule *)rule;

	struct net *net = rule->fr_net;

	int err = -EINVAL;



	if (!inet_validate_dscp(frh->tos)) {

		NL_SET_ERR_MSG(extack,