Commit 9669c110 authored by Phil Sutter's avatar Phil Sutter Committed by Pablo Neira Ayuso
Browse files

netfilter: nf_tables: Wrap netdev notifiers 



Handling NETDEV_CHANGENAME events has to traverse all chains/flowtables
twice, prepare for this. No functional change intended.

Signed-off-by: default avatarPhil Sutter <phil@nwl.cc>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent a331b78a

net/netfilter/nf_tables_api.c

+22 −12
Original line number Diff line number Diff line
@@ -9736,13 +9736,28 @@ static int nft_flowtable_event(unsigned long event, struct net_device *dev, 
	return 0;

}



static int __nf_tables_flowtable_event(unsigned long event,

				       struct net_device *dev)

{

	struct nftables_pernet *nft_net = nft_pernet(dev_net(dev));

	struct nft_flowtable *flowtable;

	struct nft_table *table;



	list_for_each_entry(table, &nft_net->tables, list) {

		list_for_each_entry(flowtable, &table->flowtables, list) {

			if (nft_flowtable_event(event, dev, flowtable))

				return 1;

		}

	}

	return 0;

}



static int nf_tables_flowtable_event(struct notifier_block *this,

				     unsigned long event, void *ptr)

{

	struct net_device *dev = netdev_notifier_info_to_dev(ptr);

	struct nft_flowtable *flowtable;

	struct nftables_pernet *nft_net;

	struct nft_table *table;

	int ret = NOTIFY_DONE;

	struct net *net;



	if (event != NETDEV_REGISTER &&
@@ -9752,17 +9767,12 @@ static int nf_tables_flowtable_event(struct notifier_block *this, 
	net = dev_net(dev);

	nft_net = nft_pernet(net);

	mutex_lock(&nft_net->commit_mutex);

	list_for_each_entry(table, &nft_net->tables, list) {

		list_for_each_entry(flowtable, &table->flowtables, list) {

			if (nft_flowtable_event(event, dev, flowtable)) {

				mutex_unlock(&nft_net->commit_mutex);

				return NOTIFY_BAD;

			}

		}

	}

	mutex_unlock(&nft_net->commit_mutex);



	return NOTIFY_DONE;

	if (__nf_tables_flowtable_event(event, dev))

		ret = NOTIFY_BAD;



	mutex_unlock(&nft_net->commit_mutex);

	return ret;

}



static struct notifier_block nf_tables_flowtable_notifier = {

net/netfilter/nft_chain_filter.c

+24 −14
Original line number Diff line number Diff line
@@ -363,21 +363,14 @@ static int nft_netdev_event(unsigned long event, struct net_device *dev, 
	return 0;

}



static int nf_tables_netdev_event(struct notifier_block *this,

				  unsigned long event, void *ptr)

static int __nf_tables_netdev_event(unsigned long event, struct net_device *dev)

{

	struct net_device *dev = netdev_notifier_info_to_dev(ptr);

	struct nft_base_chain *basechain;

	struct nftables_pernet *nft_net;

	struct nft_chain *chain;

	struct nft_table *table;



	if (event != NETDEV_REGISTER &&

	    event != NETDEV_UNREGISTER)

		return NOTIFY_DONE;



	nft_net = nft_pernet(dev_net(dev));

	mutex_lock(&nft_net->commit_mutex);

	list_for_each_entry(table, &nft_net->tables, list) {

		if (table->family != NFPROTO_NETDEV &&

		    table->family != NFPROTO_INET)
@@ -392,15 +385,32 @@ static int nf_tables_netdev_event(struct notifier_block *this, 
			    basechain->ops.hooknum != NF_INET_INGRESS)

				continue;



			if (nft_netdev_event(event, dev, basechain)) {

				mutex_unlock(&nft_net->commit_mutex);

				return NOTIFY_BAD;

			if (nft_netdev_event(event, dev, basechain))

				return 1;

		}

	}

	return 0;

}

	mutex_unlock(&nft_net->commit_mutex);



static int nf_tables_netdev_event(struct notifier_block *this,

				  unsigned long event, void *ptr)

{

	struct net_device *dev = netdev_notifier_info_to_dev(ptr);

	struct nftables_pernet *nft_net;

	int ret = NOTIFY_DONE;



	if (event != NETDEV_REGISTER &&

	    event != NETDEV_UNREGISTER)

		return NOTIFY_DONE;



	nft_net = nft_pernet(dev_net(dev));

	mutex_lock(&nft_net->commit_mutex);



	if (__nf_tables_netdev_event(event, dev))

		ret = NOTIFY_BAD;



	mutex_unlock(&nft_net->commit_mutex);

	return ret;

}



static struct notifier_block nf_tables_netdev_notifier = {