diff mbox series

[nf-next] netfilter: nf_tables: set maximum flowtable size

Message ID 20180226083146.2837-1-pablo@netfilter.org
State Deferred
Delegated to: Pablo Neira
Headers show
Series [nf-next] netfilter: nf_tables: set maximum flowtable size | expand

Commit Message

Pablo Neira Ayuso Feb. 26, 2018, 8:31 a.m. UTC 
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/uapi/linux/netfilter/nf_tables.h |  2 ++
 net/netfilter/nf_tables_api.c            | 12 +++++++++++-
 2 files changed, 13 insertions(+), 1 deletion(-)
diff mbox series

Patch

diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index 66dceee0ae30..3fa02e883c15 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -1341,6 +1341,7 @@  enum nft_object_attributes {
  * @NFTA_FLOWTABLE_HOOK: netfilter hook configuration(NLA_U32)
  * @NFTA_FLOWTABLE_USE: number of references to this flow table (NLA_U32)
  * @NFTA_FLOWTABLE_HANDLE: object handle (NLA_U64)
+ * @NFTA_FLOWTABLE_SIZE: maximum size (NLA_U32)
  */
 enum nft_flowtable_attributes {
 	NFTA_FLOWTABLE_UNSPEC,
@@ -1350,6 +1351,7 @@  enum nft_flowtable_attributes {
 	NFTA_FLOWTABLE_USE,
 	NFTA_FLOWTABLE_HANDLE,
 	NFTA_FLOWTABLE_PAD,
+	NFTA_FLOWTABLE_SIZE,
 	__NFTA_FLOWTABLE_MAX
 };
 #define NFTA_FLOWTABLE_MAX	(__NFTA_FLOWTABLE_MAX - 1)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 2b925e0d3f6d..0e60322ada2e 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -4848,6 +4848,7 @@  static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
 					    .len = NFT_NAME_MAXLEN - 1 },
 	[NFTA_FLOWTABLE_HOOK]		= { .type = NLA_NESTED },
 	[NFTA_FLOWTABLE_HANDLE]		= { .type = NLA_U64 },
+	[NFTA_FLOWTABLE_SIZE]		= { .type = NLA_U32 },
 };
 
 struct nft_flowtable *nf_tables_flowtable_lookup(const struct nft_table *table,
@@ -5077,6 +5078,7 @@  static int nf_tables_newflowtable(struct net *net, struct sock *nlsk,
 	struct nft_flowtable *flowtable, *ft;
 	u8 genmask = nft_genmask_next(net);
 	int family = nfmsg->nfgen_family;
+	struct rhashtable_params params;
 	struct nft_table *table;
 	struct nft_ctx ctx;
 	int err;
@@ -5126,8 +5128,12 @@  static int nf_tables_newflowtable(struct net *net, struct sock *nlsk,
 		goto err2;
 	}
 
+	params = *type->params;
+	if (nla[NFTA_FLOWTABLE_SIZE])
+		params.max_size = ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_SIZE]));
+
 	flowtable->data.type = type;
-	err = rhashtable_init(&flowtable->data.rhashtable, type->params);
+	err = rhashtable_init(&flowtable->data.rhashtable, &params);
 	if (err < 0)
 		goto err3;
 
@@ -5326,6 +5332,10 @@  static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
 	nla_nest_end(skb, nest_devs);
 	nla_nest_end(skb, nest);
 
+	if (nla_put_be32(skb, NFTA_FLOWTABLE_SIZE,
+			 htonl(flowtable->data.rhashtable.p.max_size)))
+		goto nla_put_failure;
+
 	nlmsg_end(skb, nlh);
 	return 0;