Commit 11fe5a82 authored by Florian Westphal's avatar Florian Westphal
Browse files

netfilter: nf_tables: make nft_set_do_lookup available unconditionally 



This function was added for retpoline mitigation and is replaced by a
static inline helper if mitigations are not enabled.

Enable this helper function unconditionally so next patch can add a lookup
restart mechanism to fix possible false negatives while transactions are
in progress.

Adding lookup restarts in nft_lookup_eval doesn't work as nft_objref would
then need the same copypaste loop.

This patch is separate to ease review of the actual bug fix.

Suggested-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
parent 64102d9b

include/net/netfilter/nf_tables_core.h

+2 −8
Original line number Diff line number Diff line
@@ -109,17 +109,11 @@ nft_hash_lookup_fast(const struct net *net, const struct nft_set *set, 
const struct nft_set_ext *

nft_hash_lookup(const struct net *net, const struct nft_set *set,

		const u32 *key);

#endif



const struct nft_set_ext *

nft_set_do_lookup(const struct net *net, const struct nft_set *set,

		  const u32 *key);

#else

static inline const struct nft_set_ext *

nft_set_do_lookup(const struct net *net, const struct nft_set *set,

		  const u32 *key)

{

	return set->ops->lookup(net, set, key);

}

#endif



/* called from nft_pipapo_avx2.c */

const struct nft_set_ext *

net/netfilter/nft_lookup.c

+12 −5
Original line number Diff line number Diff line
@@ -24,11 +24,11 @@ struct nft_lookup { 
	struct nft_set_binding		binding;

};



#ifdef CONFIG_MITIGATION_RETPOLINE

const struct nft_set_ext *

nft_set_do_lookup(const struct net *net, const struct nft_set *set,

static const struct nft_set_ext *

__nft_set_do_lookup(const struct net *net, const struct nft_set *set,

		    const u32 *key)

{

#ifdef CONFIG_MITIGATION_RETPOLINE

	if (set->ops == &nft_set_hash_fast_type.ops)

		return nft_hash_lookup_fast(net, set, key);

	if (set->ops == &nft_set_hash_type.ops)
@@ -51,10 +51,17 @@ nft_set_do_lookup(const struct net *net, const struct nft_set *set, 
		return nft_rbtree_lookup(net, set, key);



	WARN_ON_ONCE(1);

#endif

	return set->ops->lookup(net, set, key);

}



const struct nft_set_ext *

nft_set_do_lookup(const struct net *net, const struct nft_set *set,

		  const u32 *key)

{

	return __nft_set_do_lookup(net, set, key);

}

EXPORT_SYMBOL_GPL(nft_set_do_lookup);

#endif



void nft_lookup_eval(const struct nft_expr *expr,

		     struct nft_regs *regs,