Commit 07114590 authored by David S. Miller's avatar David S. Miller
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 



Pablo Neira Ayuso says:

====================
Netfilter updates for net-next

The following patchset contains Netfilter updates for net-next:

1) Add support for the catch-all set element. This special element
   can be used to define a default action to be applied in case that
   the set lookup returns no matching element.

2) Fix incorrect #ifdef dependencies in the nftables cgroupsv2
   support, from Arnd Bergmann.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 69e16d01 7acc0bb4

include/net/netfilter/nf_tables.h

+5 −0
Original line number Diff line number Diff line
@@ -497,6 +497,7 @@ struct nft_set { 
	u8				dlen;

	u8				num_exprs;

	struct nft_expr			*exprs[NFT_SET_EXPR_MAX];

	struct list_head		catchall_list;

	unsigned char			data[]

		__attribute__((aligned(__alignof__(u64))));

};
@@ -522,6 +523,10 @@ struct nft_set *nft_set_lookup_global(const struct net *net, 
				      const struct nlattr *nla_set_id,

				      u8 genmask);



struct nft_set_ext *nft_set_catchall_lookup(const struct net *net,

					    const struct nft_set *set);

void *nft_set_catchall_gc(const struct nft_set *set);



static inline unsigned long nft_set_gc_interval(const struct nft_set *set)

{

	return set->gc_int ? msecs_to_jiffies(set->gc_int) : HZ;

include/uapi/linux/netfilter/nf_tables.h

+2 −0
Original line number Diff line number Diff line
@@ -398,9 +398,11 @@ enum nft_set_attributes { 
 * enum nft_set_elem_flags - nf_tables set element flags

 *

 * @NFT_SET_ELEM_INTERVAL_END: element ends the previous interval

 * @NFT_SET_ELEM_CATCHALL: special catch-all element

 */

enum nft_set_elem_flags {

	NFT_SET_ELEM_INTERVAL_END	= 0x1,

	NFT_SET_ELEM_CATCHALL		= 0x2,

};



/**

net/netfilter/nf_tables_api.c

+486 −90

File changed.

Preview size limit exceeded, changes collapsed.

net/netfilter/nft_lookup.c

+8 −4
Original line number Diff line number Diff line
@@ -30,14 +30,18 @@ void nft_lookup_eval(const struct nft_expr *expr, 
	const struct nft_lookup *priv = nft_expr_priv(expr);

	const struct nft_set *set = priv->set;

	const struct nft_set_ext *ext = NULL;

	const struct net *net = nft_net(pkt);

	bool found;



	found = set->ops->lookup(nft_net(pkt), set, &regs->data[priv->sreg],

				 &ext) ^ priv->invert;

	found = set->ops->lookup(net, set, &regs->data[priv->sreg], &ext) ^

				 priv->invert;

	if (!found) {

		ext = nft_set_catchall_lookup(net, set);

		if (!ext) {

			regs->verdict.code = NFT_BREAK;

			return;

		}

	}



	if (ext) {

		if (set->flags & NFT_SET_MAP)

net/netfilter/nft_objref.c

+7 −4
Original line number Diff line number Diff line
@@ -105,16 +105,19 @@ static void nft_objref_map_eval(const struct nft_expr *expr, 
{

	struct nft_objref_map *priv = nft_expr_priv(expr);

	const struct nft_set *set = priv->set;

	struct net *net = nft_net(pkt);

	const struct nft_set_ext *ext;

	struct nft_object *obj;

	bool found;



	found = set->ops->lookup(nft_net(pkt), set, &regs->data[priv->sreg],

				 &ext);

	found = set->ops->lookup(net, set, &regs->data[priv->sreg], &ext);

	if (!found) {

		ext = nft_set_catchall_lookup(net, set);

		if (!ext) {

			regs->verdict.code = NFT_BREAK;

			return;

		}

	}

	obj = *nft_set_ext_obj(ext);

	obj->ops->eval(obj, regs, pkt);

}