Message ID | 1457963194-19132-4-git-send-email-fw@strlen.de |
---|---|
State | Superseded |
Delegated to: | Florian Westphal |
Headers | show |
Hi Florian, [auto build test WARNING on nf-next/master] url: https://github.com/0day-ci/linux/commits/Florian-Westphal/netfilter-connlabel-set-support/20160314-214814 base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next master config: i386-randconfig-x009-201611 (attached as .config) reproduce: # save the attached .config to linux build tree make ARCH=i386 All warnings (new ones prefixed by >>): net/netfilter/nft_ct.c: In function 'nft_ct_destroy': net/netfilter/nft_ct.c:410:2: warning: enumeration value 'NFT_CT_STATE' not handled in switch [-Wswitch] switch (priv->key) { ^ net/netfilter/nft_ct.c:410:2: warning: enumeration value 'NFT_CT_DIRECTION' not handled in switch [-Wswitch] net/netfilter/nft_ct.c:410:2: warning: enumeration value 'NFT_CT_STATUS' not handled in switch [-Wswitch] net/netfilter/nft_ct.c:410:2: warning: enumeration value 'NFT_CT_MARK' not handled in switch [-Wswitch] net/netfilter/nft_ct.c:410:2: warning: enumeration value 'NFT_CT_SECMARK' not handled in switch [-Wswitch] net/netfilter/nft_ct.c:410:2: warning: enumeration value 'NFT_CT_EXPIRATION' not handled in switch [-Wswitch] net/netfilter/nft_ct.c:410:2: warning: enumeration value 'NFT_CT_HELPER' not handled in switch [-Wswitch] net/netfilter/nft_ct.c:410:2: warning: enumeration value 'NFT_CT_L3PROTOCOL' not handled in switch [-Wswitch] net/netfilter/nft_ct.c:410:2: warning: enumeration value 'NFT_CT_SRC' not handled in switch [-Wswitch] net/netfilter/nft_ct.c:410:2: warning: enumeration value 'NFT_CT_DST' not handled in switch [-Wswitch] net/netfilter/nft_ct.c:410:2: warning: enumeration value 'NFT_CT_PROTOCOL' not handled in switch [-Wswitch] net/netfilter/nft_ct.c:410:2: warning: enumeration value 'NFT_CT_PROTO_SRC' not handled in switch [-Wswitch] net/netfilter/nft_ct.c:410:2: warning: enumeration value 'NFT_CT_PROTO_DST' not handled in switch [-Wswitch] >> net/netfilter/nft_ct.c:410:2: warning: enumeration value 'NFT_CT_PKTS' not handled in switch [-Wswitch] >> net/netfilter/nft_ct.c:410:2: warning: enumeration value 'NFT_CT_BYTES' not handled in switch [-Wswitch] vim +/NFT_CT_PKTS +410 net/netfilter/nft_ct.c 394 err = nft_validate_register_load(priv->sreg, len); 395 if (err < 0) 396 return err; 397 398 err = nft_ct_l3proto_try_module_get(ctx->afi->family); 399 if (err < 0) 400 return err; 401 402 return 0; 403 } 404 405 static void nft_ct_destroy(const struct nft_ctx *ctx, 406 const struct nft_expr *expr) 407 { 408 struct nft_ct *priv = nft_expr_priv(expr); 409 > 410 switch (priv->key) { 411 #ifdef CONFIG_NF_CONNTRACK_LABELS 412 case NFT_CT_LABELS: 413 nf_connlabels_put(ctx->net); 414 break; 415 #endif 416 } 417 418 nft_ct_l3proto_module_put(ctx->afi->family); --- 0-DAY kernel test infrastructure Open Source Technology Center https://lists.01.org/pipermail/kbuild-all Intel Corporation
diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c index d4a4619..f926861 100644 --- a/net/netfilter/nft_ct.c +++ b/net/netfilter/nft_ct.c @@ -198,6 +198,12 @@ static void nft_ct_set_eval(const struct nft_expr *expr, } break; #endif +#ifdef CONFIG_NF_CONNTRACK_LABELS + case NFT_CT_LABELS: + nf_connlabels_replace(ct, ®s->data[priv->sreg], NULL, + NF_CT_LABELS_MAX_SIZE / sizeof(u32)); + break; +#endif default: break; } @@ -276,6 +282,9 @@ static int nft_ct_get_init(const struct nft_ctx *ctx, if (tb[NFTA_CT_DIRECTION] != NULL) return -EINVAL; len = NF_CT_LABELS_MAX_SIZE; + err = nf_connlabels_get(ctx->net, (len * BITS_PER_BYTE) - 1); + if (err) + return err; break; #endif case NFT_CT_HELPER: @@ -362,9 +371,21 @@ static int nft_ct_set_init(const struct nft_ctx *ctx, switch (priv->key) { #ifdef CONFIG_NF_CONNTRACK_MARK case NFT_CT_MARK: + if (tb[NFTA_CT_DIRECTION]) + return -EINVAL; len = FIELD_SIZEOF(struct nf_conn, mark); break; #endif +#ifdef CONFIG_NF_CONNTRACK_LABELS + case NFT_CT_LABELS: + if (tb[NFTA_CT_DIRECTION]) + return -EINVAL; + len = NF_CT_LABELS_MAX_SIZE; + err = nf_connlabels_get(ctx->net, (len * BITS_PER_BYTE) - 1); + if (err) + return err; + break; +#endif default: return -EOPNOTSUPP; } @@ -384,6 +405,16 @@ static int nft_ct_set_init(const struct nft_ctx *ctx, static void nft_ct_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr) { + struct nft_ct *priv = nft_expr_priv(expr); + + switch (priv->key) { +#ifdef CONFIG_NF_CONNTRACK_LABELS + case NFT_CT_LABELS: + nf_connlabels_put(ctx->net); + break; +#endif + } + nft_ct_l3proto_module_put(ctx->afi->family); }
Conntrack labels are currently sized depending on the iptables ruleset, i.e. if we're asked to test or set bits 1, 2, and 65 then we would allocate enough room to store at least bit 65. However, with nft, the input is just a register with arbitrary runtime content. We therefore ask for the upper ceiling we currently have, which is enough room to store 128 bits. Alternatively, we could alter nf_connlabel_replace to increase net->ct.label_words at run time, but since 128 bits is not that big we'd only save sizeof(long) so it doesn't seem worth it for now. Caveats: to set a label one has to use: ct label set ct label | bar as 'ct label set bar' will clear all other labels. Signed-off-by: Florian Westphal <fw@strlen.de> --- No changes since v2. net/netfilter/nft_ct.c | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+)