From patchwork Tue May 15 12:23:14 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Taehee Yoo <ap420073@gmail.com>
X-Patchwork-Id: 913599
X-Patchwork-Delegate: pablo@netfilter.org
Return-Path: <netfilter-devel-owner@vger.kernel.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netfilter-devel-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=fail (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="JIa/EQgk"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 40lcDC4lp9z9rvt
	for <incoming@patchwork.ozlabs.org>;
	Tue, 15 May 2018 22:23:23 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753078AbeEOMXW (ORCPT <rfc822;incoming@patchwork.ozlabs.org>);
	Tue, 15 May 2018 08:23:22 -0400
Received: from mail-pg0-f68.google.com ([74.125.83.68]:33483 "EHLO
	mail-pg0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1753287AbeEOMXV (ORCPT
	<rfc822;netfilter-devel@vger.kernel.org>);
	Tue, 15 May 2018 08:23:21 -0400
Received: by mail-pg0-f68.google.com with SMTP id v7-v6so4172240pgs.0
	for <netfilter-devel@vger.kernel.org>;
	Tue, 15 May 2018 05:23:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id;
	bh=q+9b7KGWvqTmW2ixB435e1hyzKPuXNMSGMHkkMK48fY=;
	b=JIa/EQgky1LV5BgPzZSxyODtQSop8qZ/53GjbeyQMX0pWLbW2I5OnlahzEbQuAhrGn
	TcVs3c4t0S8hBayZCbqpcHCk9YgYiNH6vbBhtGmZpB4iILA+UjCnwA5VztpdcN/OXZnU
	ISUpg3jp8NdEAKLV0G85gBtmwBpM4r45sZj+voShhXWcGcNnLYBn/UDG06UOMkpz7uK/
	/4ZQUpFprSJOfJ7Ft1bCvCwJfsDnAxT2VRVHI+4iaZOnE9turCPm3wRGPT4fFN2vjA/l
	0hAL9GS5rnMEz4wGlkA2FKHpsLZ3Pi7F/k9khC2y1wagBVY/fzAqSeBDKqMwWVx2LhGQ
	Plug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=q+9b7KGWvqTmW2ixB435e1hyzKPuXNMSGMHkkMK48fY=;
	b=h1Nbelc2UyI/TGhyasrVeyNkUVTgmeVXWsO4t0Da6wiwWdZnknkhsX03jduE7h5F7t
	vH5wLUZhH0+P14vv0j5UrGLwyhdH67Qh8FwZ1v5swd5abEKQxsXb19FeSYXz/LaNW23J
	CaqDqNuOp/uu9fBavuY2Kx/dWmcl4aaKDx89pLu26Bj7izX423+pvpx3zbjRLlcJDbno
	sJFvk/GI4w8UIbeD9ovn2FuXglEAMyJpKhoNhO3P+q6xvP8Gmn3hboBg8Ut3xpXbMUJD
	1BLIYCVMfFFvHt0FE0mx4ZslhXp/Jq7jRhF0HTcGWqc3Z7CIFvSGuVXBkzWJowJDoDah
	KTbA==
X-Gm-Message-State: ALKqPwfsRCEb0LrzUgC+8mM5PBEf0JcYnINQZXFuE+MqUIYvfl7HeH3s
	zxdHU1B1O31TJ7ZMwuFAMls=
X-Google-Smtp-Source: 
 AB8JxZrHrONH/tvOhISiVWWC66jxNxyW5V3v0GOXEh7Mhvd4N+Qx+pi5kUG13ViZON5N+gOvo/g07Q==
X-Received: by 2002:a63:7154:: with SMTP id
	b20-v6mr12072145pgn.13.1526387001243;
	Tue, 15 May 2018 05:23:21 -0700 (PDT)
Received: from ap-To-be-filled-by-O-E-M.8.8.8.8 ([125.130.197.10])
	by smtp.gmail.com with ESMTPSA id
	t24-v6sm28575461pfj.75.2018.05.15.05.23.19
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Tue, 15 May 2018 05:23:20 -0700 (PDT)
From: Taehee Yoo <ap420073@gmail.com>
To: pablo@netfilter.org, netfilter-devel@vger.kernel.org
Cc: ap420073@gmail.com
Subject: [PATCH nf 1/5] netfilter: nf_tables: use nft_ctx instead of
	nft_chain
Date: Tue, 15 May 2018 21:23:14 +0900
Message-Id: <20180515122314.29197-1-ap420073@gmail.com>
X-Mailer: git-send-email 2.9.3
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk
List-ID: <netfilter-devel.vger.kernel.org>
X-Mailing-List: netfilter-devel@vger.kernel.org

This patch prepares for next patches.
The nft_chain_validate_hooks and
nft_chain_validate_dependency are going to use both net and nft_chain.

Signed-off-by: Taehee Yoo <ap420073@gmail.com>
---
 include/net/netfilter/nf_tables.h        |  4 ++--
 net/bridge/netfilter/nft_reject_bridge.c |  4 ++--
 net/netfilter/nf_tables_api.c            | 12 ++++++------
 net/netfilter/nft_fib.c                  |  2 +-
 net/netfilter/nft_flow_offload.c         |  2 +-
 net/netfilter/nft_masq.c                 |  4 ++--
 net/netfilter/nft_meta.c                 |  4 ++--
 net/netfilter/nft_nat.c                  |  6 +++---
 net/netfilter/nft_redir.c                |  4 ++--
 net/netfilter/nft_reject.c               |  2 +-
 net/netfilter/nft_rt.c                   |  2 +-
 11 files changed, 23 insertions(+), 23 deletions(-)

diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index a1e28dd..7eb4802 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -903,9 +903,9 @@ struct nft_chain_type {
 	void				(*free)(struct nft_ctx *ctx);
 };
 
-int nft_chain_validate_dependency(const struct nft_chain *chain,
+int nft_chain_validate_dependency(const struct nft_ctx *ctx,
 				  enum nft_chain_types type);
-int nft_chain_validate_hooks(const struct nft_chain *chain,
+int nft_chain_validate_hooks(const struct nft_ctx *ctx,
                              unsigned int hook_flags);
 
 struct nft_stats {
diff --git a/net/bridge/netfilter/nft_reject_bridge.c b/net/bridge/netfilter/nft_reject_bridge.c
index eaf05de..f3b633b 100644
--- a/net/bridge/netfilter/nft_reject_bridge.c
+++ b/net/bridge/netfilter/nft_reject_bridge.c
@@ -357,8 +357,8 @@ static int nft_reject_bridge_validate(const struct nft_ctx *ctx,
 				      const struct nft_expr *expr,
 				      const struct nft_data **data)
 {
-	return nft_chain_validate_hooks(ctx->chain, (1 << NF_BR_PRE_ROUTING) |
-						    (1 << NF_BR_LOCAL_IN));
+	return nft_chain_validate_hooks(ctx, (1 << NF_BR_PRE_ROUTING) |
+					     (1 << NF_BR_LOCAL_IN));
 }
 
 static int nft_reject_bridge_init(const struct nft_ctx *ctx,
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 3806db3..13c2fc3 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -6132,13 +6132,13 @@ static const struct nfnetlink_subsystem nf_tables_subsys = {
 	.valid_genid	= nf_tables_valid_genid,
 };
 
-int nft_chain_validate_dependency(const struct nft_chain *chain,
+int nft_chain_validate_dependency(const struct nft_ctx *ctx,
 				  enum nft_chain_types type)
 {
 	const struct nft_base_chain *basechain;
 
-	if (nft_is_base_chain(chain)) {
-		basechain = nft_base_chain(chain);
+	if (nft_is_base_chain(ctx->chain)) {
+		basechain = nft_base_chain(ctx->chain);
 		if (basechain->type->type != type)
 			return -EOPNOTSUPP;
 	}
@@ -6146,13 +6146,13 @@ int nft_chain_validate_dependency(const struct nft_chain *chain,
 }
 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
 
-int nft_chain_validate_hooks(const struct nft_chain *chain,
+int nft_chain_validate_hooks(const struct nft_ctx *ctx,
 			     unsigned int hook_flags)
 {
 	struct nft_base_chain *basechain;
 
-	if (nft_is_base_chain(chain)) {
-		basechain = nft_base_chain(chain);
+	if (nft_is_base_chain(ctx->chain)) {
+		basechain = nft_base_chain(ctx->chain);
 
 		if ((1 << basechain->ops.hooknum) & hook_flags)
 			return 0;
diff --git a/net/netfilter/nft_fib.c b/net/netfilter/nft_fib.c
index 21df8cc..47dbf94 100644
--- a/net/netfilter/nft_fib.c
+++ b/net/netfilter/nft_fib.c
@@ -59,7 +59,7 @@ int nft_fib_validate(const struct nft_ctx *ctx, const struct nft_expr *expr,
 		return -EINVAL;
 	}
 
-	return nft_chain_validate_hooks(ctx->chain, hooks);
+	return nft_chain_validate_hooks(ctx, hooks);
 }
 EXPORT_SYMBOL_GPL(nft_fib_validate);
 
diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c
index b65829b..6165733 100644
--- a/net/netfilter/nft_flow_offload.c
+++ b/net/netfilter/nft_flow_offload.c
@@ -128,7 +128,7 @@ static int nft_flow_offload_validate(const struct nft_ctx *ctx,
 {
 	unsigned int hook_mask = (1 << NF_INET_FORWARD);
 
-	return nft_chain_validate_hooks(ctx->chain, hook_mask);
+	return nft_chain_validate_hooks(ctx, hook_mask);
 }
 
 static int nft_flow_offload_init(const struct nft_ctx *ctx,
diff --git a/net/netfilter/nft_masq.c b/net/netfilter/nft_masq.c
index 9d8655b..5a32260 100644
--- a/net/netfilter/nft_masq.c
+++ b/net/netfilter/nft_masq.c
@@ -29,11 +29,11 @@ int nft_masq_validate(const struct nft_ctx *ctx,
 {
 	int err;
 
-	err = nft_chain_validate_dependency(ctx->chain, NFT_CHAIN_T_NAT);
+	err = nft_chain_validate_dependency(ctx, NFT_CHAIN_T_NAT);
 	if (err < 0)
 		return err;
 
-	return nft_chain_validate_hooks(ctx->chain,
+	return nft_chain_validate_hooks(ctx,
 				        (1 << NF_INET_POST_ROUTING));
 }
 EXPORT_SYMBOL_GPL(nft_masq_validate);
diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
index 8fb91940..7d14fe3 100644
--- a/net/netfilter/nft_meta.c
+++ b/net/netfilter/nft_meta.c
@@ -354,7 +354,7 @@ static int nft_meta_get_validate(const struct nft_ctx *ctx,
 		return -EOPNOTSUPP;
 	}
 
-	return nft_chain_validate_hooks(ctx->chain, hooks);
+	return nft_chain_validate_hooks(ctx, hooks);
 #else
 	return 0;
 #endif
@@ -386,7 +386,7 @@ int nft_meta_set_validate(const struct nft_ctx *ctx,
 		return -EOPNOTSUPP;
 	}
 
-	return nft_chain_validate_hooks(ctx->chain, hooks);
+	return nft_chain_validate_hooks(ctx, hooks);
 }
 EXPORT_SYMBOL_GPL(nft_meta_set_validate);
 
diff --git a/net/netfilter/nft_nat.c b/net/netfilter/nft_nat.c
index 1f36954..12c00e9 100644
--- a/net/netfilter/nft_nat.c
+++ b/net/netfilter/nft_nat.c
@@ -94,18 +94,18 @@ static int nft_nat_validate(const struct nft_ctx *ctx,
 	struct nft_nat *priv = nft_expr_priv(expr);
 	int err;
 
-	err = nft_chain_validate_dependency(ctx->chain, NFT_CHAIN_T_NAT);
+	err = nft_chain_validate_dependency(ctx, NFT_CHAIN_T_NAT);
 	if (err < 0)
 		return err;
 
 	switch (priv->type) {
 	case NFT_NAT_SNAT:
-		err = nft_chain_validate_hooks(ctx->chain,
+		err = nft_chain_validate_hooks(ctx,
 					       (1 << NF_INET_POST_ROUTING) |
 					       (1 << NF_INET_LOCAL_IN));
 		break;
 	case NFT_NAT_DNAT:
-		err = nft_chain_validate_hooks(ctx->chain,
+		err = nft_chain_validate_hooks(ctx,
 					       (1 << NF_INET_PRE_ROUTING) |
 					       (1 << NF_INET_LOCAL_OUT));
 		break;
diff --git a/net/netfilter/nft_redir.c b/net/netfilter/nft_redir.c
index c64cbe7..098a4a4 100644
--- a/net/netfilter/nft_redir.c
+++ b/net/netfilter/nft_redir.c
@@ -29,11 +29,11 @@ int nft_redir_validate(const struct nft_ctx *ctx,
 {
 	int err;
 
-	err = nft_chain_validate_dependency(ctx->chain, NFT_CHAIN_T_NAT);
+	err = nft_chain_validate_dependency(ctx, NFT_CHAIN_T_NAT);
 	if (err < 0)
 		return err;
 
-	return nft_chain_validate_hooks(ctx->chain,
+	return nft_chain_validate_hooks(ctx,
 					(1 << NF_INET_PRE_ROUTING) |
 					(1 << NF_INET_LOCAL_OUT));
 }
diff --git a/net/netfilter/nft_reject.c b/net/netfilter/nft_reject.c
index 29f5bd2..74b6e4e 100644
--- a/net/netfilter/nft_reject.c
+++ b/net/netfilter/nft_reject.c
@@ -30,7 +30,7 @@ int nft_reject_validate(const struct nft_ctx *ctx,
 			const struct nft_expr *expr,
 			const struct nft_data **data)
 {
-	return nft_chain_validate_hooks(ctx->chain,
+	return nft_chain_validate_hooks(ctx,
 					(1 << NF_INET_LOCAL_IN) |
 					(1 << NF_INET_FORWARD) |
 					(1 << NF_INET_LOCAL_OUT));
diff --git a/net/netfilter/nft_rt.c b/net/netfilter/nft_rt.c
index 11a2071..b754184 100644
--- a/net/netfilter/nft_rt.c
+++ b/net/netfilter/nft_rt.c
@@ -176,7 +176,7 @@ static int nft_rt_validate(const struct nft_ctx *ctx, const struct nft_expr *exp
 		return -EINVAL;
 	}
 
-	return nft_chain_validate_hooks(ctx->chain, hooks);
+	return nft_chain_validate_hooks(ctx, hooks);
 }
 
 static struct nft_expr_type nft_rt_type;

From patchwork Tue May 15 12:23:31 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Taehee Yoo <ap420073@gmail.com>
X-Patchwork-Id: 913600
X-Patchwork-Delegate: pablo@netfilter.org
Return-Path: <netfilter-devel-owner@vger.kernel.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netfilter-devel-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=fail (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="Q1tmzDxe"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 40lcDV5Qtzz9ry1
	for <incoming@patchwork.ozlabs.org>;
	Tue, 15 May 2018 22:23:38 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753287AbeEOMXi (ORCPT <rfc822;incoming@patchwork.ozlabs.org>);
	Tue, 15 May 2018 08:23:38 -0400
Received: from mail-pl0-f68.google.com ([209.85.160.68]:40786 "EHLO
	mail-pl0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752421AbeEOMXh (ORCPT
	<rfc822;netfilter-devel@vger.kernel.org>);
	Tue, 15 May 2018 08:23:37 -0400
Received: by mail-pl0-f68.google.com with SMTP id t12-v6so9343533plo.7
	for <netfilter-devel@vger.kernel.org>;
	Tue, 15 May 2018 05:23:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id;
	bh=PuMiYin1v/2CNqovPvDlydIy/lW0TrhExXvms7GH7rw=;
	b=Q1tmzDxe8u+s6aWDpErRNlP+kiouQZRN4NFrt4XfQO5TH3Mi5F2RjA4PDaxvnll8NJ
	kXJtTaScqb0ZorK0OPOqQhFX6pQtQUcDH1qSKlV+5GbuZOBOlZt2CJxneBZ81dE4nlB7
	K8pN2l7mQ8b+Zrx8GkAT963CXf7lQQqPg1zOoNz37wU6cyevcDL78cAA5Pffi187fNdb
	VHnxtAweQyq99ptGfmZEBgvRBoP7JpMjpXZSJsSApFND1Qgezx66H1LKGYwwKTTp91+Q
	6ZV3E/b0/Kar0cqVfohH/TIF0fZyB+FPzlciSOEnk4lkWDFtVF0BLYoUHRFkEyijdDZ3
	gcsQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=PuMiYin1v/2CNqovPvDlydIy/lW0TrhExXvms7GH7rw=;
	b=XTpzbUoCBrfqVOG4qQAA6g3Cfe6kzDAfJBpIMwVKZx81q8Ny+6XwmyYdqrynhDCmTx
	O605rDWrwQrSBwnejO3nw6EKLkGM2KC6VhRaPLUozmXi1s7wKJkn5yDnEnOS/zdABKpR
	pekOxrY43MOuoprPZYoCYeHZdjaYu+NXoncYd3n4HKLsWWRDawvnW5FZO2sTle9y0aon
	tqP4MXKMgH9Vq9C5OLH6vz7H96B1f9gpDy1FB6jQ1V1ZYUZ9edA8YhqGxKpSB/XEaodt
	/a4HL86PgCAF6lRYhAyZwdU2jdkCG1MxtVvBxp/Lg6SEosMxm0+0cY45N8ifMG2x+vmN
	Xcnw==
X-Gm-Message-State: ALKqPwcFtAEkios5RTq4dCblIkWg73sifqCV5gR2OdpWFfUu2jZY5WGX
	JDIguqw82MCieE9ke0ZnR+s=
X-Google-Smtp-Source: 
 AB8JxZqrPZAzR4t5UenPWw6wqAdzzKy+/ovtbxB03TM3/bpWyliPu1Ss7KWl62FuMjPasD51LfXdEw==
X-Received: by 2002:a17:902:8c81:: with SMTP id
	t1-v6mr14032987plo.310.1526387017414;
	Tue, 15 May 2018 05:23:37 -0700 (PDT)
Received: from ap-To-be-filled-by-O-E-M.8.8.8.8 ([125.130.197.10])
	by smtp.gmail.com with ESMTPSA id
	e25-v6sm26034784pfn.88.2018.05.15.05.23.35
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Tue, 15 May 2018 05:23:36 -0700 (PDT)
From: Taehee Yoo <ap420073@gmail.com>
To: pablo@netfilter.org, netfilter-devel@vger.kernel.org
Cc: ap420073@gmail.com
Subject: [PATCH nf 2/5] netfilter: nf_tables: remove nft_af_info.
Date: Tue, 15 May 2018 21:23:31 +0900
Message-Id: <20180515122331.29310-1-ap420073@gmail.com>
X-Mailer: git-send-email 2.9.3
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk
List-ID: <netfilter-devel.vger.kernel.org>
X-Mailing-List: netfilter-devel@vger.kernel.org

The struct nft_af_info was removed.

Signed-off-by: Taehee Yoo <ap420073@gmail.com>
---
 include/net/netns/nftables.h | 2 --
 1 file changed, 2 deletions(-)

diff --git a/include/net/netns/nftables.h b/include/net/netns/nftables.h
index 4813435..29c3851 100644
--- a/include/net/netns/nftables.h
+++ b/include/net/netns/nftables.h
@@ -4,8 +4,6 @@
 
 #include <linux/list.h>
 
-struct nft_af_info;
-
 struct netns_nftables {
 	struct list_head	tables;
 	struct list_head	commit_list;

From patchwork Tue May 15 12:23:43 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Taehee Yoo <ap420073@gmail.com>
X-Patchwork-Id: 913601
X-Patchwork-Delegate: pablo@netfilter.org
Return-Path: <netfilter-devel-owner@vger.kernel.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netfilter-devel-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=fail (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="fGTo71u7"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 40lcDl29BKz9ryk
	for <incoming@patchwork.ozlabs.org>;
	Tue, 15 May 2018 22:23:51 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753303AbeEOMXu (ORCPT <rfc822;incoming@patchwork.ozlabs.org>);
	Tue, 15 May 2018 08:23:50 -0400
Received: from mail-pg0-f68.google.com ([74.125.83.68]:40969 "EHLO
	mail-pg0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752421AbeEOMXu (ORCPT
	<rfc822;netfilter-devel@vger.kernel.org>);
	Tue, 15 May 2018 08:23:50 -0400
Received: by mail-pg0-f68.google.com with SMTP id w4-v6so5325235pgq.8
	for <netfilter-devel@vger.kernel.org>;
	Tue, 15 May 2018 05:23:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id;
	bh=WkUaJawZxzZQ3msuBfnbljKjc1Y9dOuPzCWloR9Su7M=;
	b=fGTo71u7cP4N9onSJ8ormdDiYZBUTzb5hmcSA6FVZawfBgcpCSCUpfZAdvGkXq+JTr
	c/sd2TA77CJLfOw3DxxG8cVXLV0ItHznSeDKG0YjTE+2sB55ORIn9boWRgRlBbMWr0ea
	L5XmcderDDMaGNe8MdjitGg0am8jOoeFGjAgYDyhUaWCHUQhTsIHzWg5OdnLX0nyn/8l
	3CP7KaRrYiqavTBoPPHIaZSLf+uQi882WdnaqQ7OTABphj9FM9YM8+QBB2oxpgcqOk1J
	OYunroYXhjVXsZgemkYGMiBhmrbPyxZUvOC5+9VT+dyZqHFxEEiWoMxA5J4r63TfksH2
	Zt1g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=WkUaJawZxzZQ3msuBfnbljKjc1Y9dOuPzCWloR9Su7M=;
	b=hlXIbdfAEusGN43b8InyQRE80dqUIaLYQxei5fS+HNqHjj3rh8n50Xl+bwNzEQTike
	Nso1WBfwWCKxVRbjq3z2Tu/dkfYvCcO5kU8wtpbCYcq4uBeAVCoBQvjog4pzSCSodpKL
	LYMMBkovAdV9Z4x/DQR0zLOlnzm6HIvNmkpEW+p5DrJrCSxgmwvu1eP62TjZIbAEbSTT
	VJu5on47pgB7HKcdl61GbGa9I81+00EBvQQ8Aak81Y1V2lvm+DcL6azkPC5X9UDh7V/O
	kWx6l2J82c0ZzBAflqB5hcW2klnuPvpVSJmFdApAaXUNVzDarr5n0cN0oxxLaObsIXgb
	Dz2g==
X-Gm-Message-State: ALKqPwdkt1jLvJcfoj1ijw406Yqh2PGGnXCgi8oEicIOAk0tv4Fp3ylT
	QemOKurHoSX89k0t3C2z6XqZAQ==
X-Google-Smtp-Source: 
 AB8JxZpgDfO5X0jvYRxQLlgohuJuIM82e749+Yotn+8nzzIPiDuf69VUmTw1W1GxbDRfnt5KYbyqow==
X-Received: by 2002:a63:b70b:: with SMTP id
	t11-v6mr11731312pgf.390.1526387029511;
	Tue, 15 May 2018 05:23:49 -0700 (PDT)
Received: from ap-To-be-filled-by-O-E-M.8.8.8.8 ([125.130.197.10])
	by smtp.gmail.com with ESMTPSA id
	c83-v6sm23284072pfc.111.2018.05.15.05.23.47
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Tue, 15 May 2018 05:23:48 -0700 (PDT)
From: Taehee Yoo <ap420073@gmail.com>
To: pablo@netfilter.org, netfilter-devel@vger.kernel.org
Cc: ap420073@gmail.com
Subject: [PATCH nf 3/5] netfilter: nf_tables: add type and hook validate
	routine
Date: Tue, 15 May 2018 21:23:43 +0900
Message-Id: <20180515122343.29387-1-ap420073@gmail.com>
X-Mailer: git-send-email 2.9.3
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk
List-ID: <netfilter-devel.vger.kernel.org>
X-Mailing-List: netfilter-devel@vger.kernel.org

This patch adds validate callback to the nfnetlink_subsysem.
It validates type and hook of both basechain and non-basechain.
To validate type and hook, it constructs chain information array.
Like loop detection routine, validator travels each rules and sets
then marks type and hook value to the each chain information array.

example :

table ip test {
	chain prerouting {
		type nat hook prerouting priority 4;
		jump test1
	}
	chain postrouting {
		type nat hook postrouting priority 5;
		jump test1
	}
	chain input {
		type filter hook input priority 0;
		jump test1
	}
	chain outout {
		type filter hook output priority 0;
		jump test2
	}
	chain test1 {
		jump test2
		counter
	}
	chain test2 {
		counter
	}
}

The test1 has below chain information.
type = NFT_CHAIN_T_MIX
hook = (1 << NF_INET_PRE_ROUTING | 1 << NF_INET_POST_ROUTING |
	1 << NF_INET_LOCAL_IN)

And the test2 has below chain information.
type = NFT_CHAIN_T_MIX
hook = (1 << NF_INET_PRE_ROUTING | 1 << NF_INET_POST_ROUTING |
	1 << NF_INET_LOCAL_IN | 1 << NF_ONET_LOCAL_OUT)

The new type NFT_CHAIN_T_MIX means that chain has both filter and
nat type.
Then, validator calls expr->ops->validate()

Next patch makes expr->ops->validate() to use chain information array
insted of basechain's data.

Signed-off-by: Taehee Yoo <ap420073@gmail.com>
---
 include/linux/netfilter/nfnetlink.h |   1 +
 include/net/netfilter/nf_tables.h   |   1 +
 include/net/netns/nftables.h        |   3 +
 net/netfilter/nf_tables_api.c       | 262 ++++++++++++++++++++++++++++++++++++
 4 files changed, 267 insertions(+)

diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h
index 34551f8..a641d52 100644
--- a/include/linux/netfilter/nfnetlink.h
+++ b/include/linux/netfilter/nfnetlink.h
@@ -29,6 +29,7 @@ struct nfnetlink_subsystem {
 	__u8 subsys_id;			/* nfnetlink subsystem ID */
 	__u8 cb_count;			/* number of callbacks */
 	const struct nfnl_callback *cb;	/* callback for individual types */
+	int (*validate)(struct net *net);
 	int (*commit)(struct net *net, struct sk_buff *skb);
 	int (*abort)(struct net *net, struct sk_buff *skb);
 	bool (*valid_genid)(struct net *net, u32 genid);
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 7eb4802..9959509 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -877,6 +877,7 @@ enum nft_chain_types {
 	NFT_CHAIN_T_DEFAULT = 0,
 	NFT_CHAIN_T_ROUTE,
 	NFT_CHAIN_T_NAT,
+	NFT_CHAIN_T_MIX,
 	NFT_CHAIN_T_MAX
 };
 
diff --git a/include/net/netns/nftables.h b/include/net/netns/nftables.h
index 29c3851..61e94e5 100644
--- a/include/net/netns/nftables.h
+++ b/include/net/netns/nftables.h
@@ -4,9 +4,12 @@
 
 #include <linux/list.h>
 
+struct nft_chain_info;
+
 struct netns_nftables {
 	struct list_head	tables;
 	struct list_head	commit_list;
+	struct nft_chain_info	*chain_info;
 	unsigned int		base_seq;
 	u8			gencursor;
 };
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 13c2fc3..36d8fba 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -5841,6 +5841,267 @@ static void nf_tables_commit_release(struct net *net)
 	}
 }
 
+struct nft_chain_info {
+	u8		type;
+	unsigned int	hooknum;
+};
+
+static inline struct nft_chain_info *nft_get_chain_info(struct net *net,
+							struct nft_chain *chain)
+{
+	return net->nft.chain_info + chain->handle;
+}
+
+static int nft_validate_chain(struct net *net, struct nft_chain *chain)
+{
+	struct nft_table *table = chain->table;
+	struct nft_expr *expr, *last;
+	struct nft_rule *rule;
+	struct nft_ctx ctx;
+
+	list_for_each_entry(rule, &chain->rules, list) {
+		if (!nft_is_active_next(net, rule))
+			continue;
+		nft_rule_for_each_expr(expr, last, rule) {
+			const struct nft_data *data = NULL;
+			int err = 0;
+
+			if (!expr->ops->validate)
+				continue;
+
+			ctx.net		= net;
+			ctx.family	= table->family;
+			ctx.table	= table;
+			ctx.chain	= chain;
+			err = expr->ops->validate(&ctx, expr, &data);
+			if (err < 0)
+				return err;
+
+			if (!data)
+				continue;
+
+			switch (data->verdict.code) {
+			case NFT_JUMP:
+			case NFT_GOTO:
+				err = nft_validate_chain(net,
+							 data->verdict.chain);
+				if (err < 0)
+					return err;
+			default:
+				break;
+			}
+		}
+	}
+	return 0;
+}
+
+static int nft_mark_chain_info(struct net *net,
+			       struct nft_chain *pchain,
+			       struct nft_chain *cchain);
+
+static int nft_mark_chain_info_setelem(const struct nft_ctx *ctx,
+				       struct nft_set *set,
+				       const struct nft_set_iter *iter,
+				       struct nft_set_elem *elem)
+{
+	const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
+	const struct nft_data *data;
+
+	if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
+	    *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
+		return 0;
+
+	data = nft_set_ext_data(ext);
+	switch (data->verdict.code) {
+	case NFT_JUMP:
+	case NFT_GOTO:
+		return nft_mark_chain_info(ctx->net, ctx->chain,
+					   data->verdict.chain);
+	default:
+		return 0;
+	}
+
+	return 0;
+}
+
+static int nft_mark_set_elem(struct net *net, struct nft_chain *chain)
+{
+	struct nft_ctx ctx;
+	struct nft_table *table = chain->table;
+	struct nft_set *set;
+	struct nft_set_binding *binding;
+	struct nft_set_iter iter;
+
+	list_for_each_entry(set, &table->sets, list) {
+		if (!nft_is_active_next(net, set))
+			continue;
+		if (!(set->flags & NFT_SET_MAP) ||
+		    set->dtype != NFT_DATA_VERDICT)
+			continue;
+
+		list_for_each_entry(binding, &set->bindings, list) {
+			if (!(binding->flags & NFT_SET_MAP) ||
+			    binding->chain != chain)
+				continue;
+
+			iter.genmask	= nft_genmask_next(net);
+			iter.skip	= 0;
+			iter.count	= 0;
+			iter.err	= 0;
+			iter.fn		= nft_mark_chain_info_setelem;
+
+			ctx.net		= net;
+			ctx.family	= table->family;
+			ctx.table	= table;
+			ctx.chain	= chain;
+			set->ops->walk(&ctx, set, &iter);
+			if (iter.err < 0)
+				return iter.err;
+		}
+	}
+	return 0;
+}
+
+static int nft_mark_rule(struct net *net, struct nft_chain *chain)
+{
+	struct nft_rule *rule;
+	struct nft_expr *expr, *last;
+
+	list_for_each_entry(rule, &chain->rules, list) {
+		if (!nft_is_active_next(net, rule))
+			continue;
+		nft_rule_for_each_expr(expr, last, rule) {
+			const struct nft_data *data = NULL;
+			int err;
+
+			if (!expr->ops->validate)
+				continue;
+			if (strcmp(expr->ops->type->name, "immediate"))
+				continue;
+
+			err = expr->ops->validate(NULL, expr, &data);
+			if (err < 0)
+				return err;
+
+			if (!data)
+				continue;
+
+			switch (data->verdict.code) {
+			case NFT_JUMP:
+			case NFT_GOTO:
+				err = nft_mark_chain_info(net, chain,
+							  data->verdict.chain);
+				if (err < 0)
+					return err;
+			default:
+				break;
+			}
+		}
+	}
+	return 0;
+}
+
+static int nft_mark_chain_info(struct net *net,
+			       struct nft_chain *pchain,
+			       struct nft_chain *cchain)
+{
+	struct nft_chain_info before;
+	struct nft_chain_info *pinfo = nft_get_chain_info(net, pchain);
+	struct nft_chain_info *cinfo = nft_get_chain_info(net, cchain);
+	int err = 0;
+
+	if (pchain != cchain) {
+		if (unlikely(nft_is_base_chain(cchain))) {
+			WARN_ON(1);
+			return -ELOOP;
+		}
+
+		before.type = cinfo->type;
+		before.hooknum = cinfo->hooknum;
+
+		if (cinfo->type && cinfo->type != pinfo->type)
+			cinfo->type = NFT_CHAIN_T_MIX;
+		else
+			cinfo->type = pinfo->type;
+		cinfo->hooknum |= pinfo->hooknum;
+
+		if (cinfo->type == before.type &&
+		    cinfo->hooknum == before.hooknum)
+			return 0;
+	}
+
+	err = nft_mark_rule(net, cchain);
+	if (err < 0)
+		return err;
+	return nft_mark_set_elem(net, cchain);
+}
+
+static int nf_tables_validate(struct net *net)
+{
+	struct nft_table *table;
+	struct nft_chain *chain;
+	struct nft_base_chain *basechain;
+	struct nft_chain_info *cinfo;
+	u64 hgenerator = 0;
+	int err = 0;
+
+	list_for_each_entry(table, &net->nft.tables, list) {
+		if (!nft_is_active_next(net, table))
+			continue;
+		hgenerator = max_t(u64, hgenerator, table->hgenerator);
+	}
+
+	if (!hgenerator)
+		return 0;
+
+	hgenerator++;
+	net->nft.chain_info = kvmalloc(hgenerator *
+				       sizeof(struct nft_chain_info),
+				       GFP_KERNEL);
+	if (!net->nft.chain_info)
+		return -ENOMEM;
+
+	list_for_each_entry(table, &net->nft.tables, list) {
+		if (!nft_is_active_next(net, table))
+			continue;
+
+		memset(net->nft.chain_info, 0,
+		       sizeof(struct nft_chain_info) * hgenerator);
+
+		list_for_each_entry(chain, &table->chains, list) {
+			if (!nft_is_active_next(net, chain))
+				continue;
+			if (!nft_is_base_chain(chain))
+				continue;
+
+			basechain = nft_base_chain(chain);
+			cinfo = nft_get_chain_info(net, chain);
+
+			cinfo->type = basechain->type->type;
+			cinfo->hooknum |= 1 << basechain->ops.hooknum;
+
+			err = nft_mark_chain_info(net, chain, chain);
+			if (err)
+				goto out;
+
+			err = nft_mark_set_elem(net, chain);
+			if (err < 0)
+				goto out;
+		}
+		list_for_each_entry(chain, &table->chains, list) {
+			if (!nft_is_active_next(net, chain))
+				continue;
+			err = nft_validate_chain(net, chain);
+			if (err < 0)
+				goto out;
+		}
+	}
+
+out:
+	kvfree(net->nft.chain_info);
+	return err;
+}
+
 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
 {
 	struct nft_trans *trans, *next;
@@ -6128,6 +6389,7 @@ static const struct nfnetlink_subsystem nf_tables_subsys = {
 	.cb_count	= NFT_MSG_MAX,
 	.cb		= nf_tables_cb,
 	.commit		= nf_tables_commit,
+	.validate	= nf_tables_validate,
 	.abort		= nf_tables_abort,
 	.valid_genid	= nf_tables_valid_genid,
 };

From patchwork Tue May 15 12:24:01 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Taehee Yoo <ap420073@gmail.com>
X-Patchwork-Id: 913602
X-Patchwork-Delegate: pablo@netfilter.org
Return-Path: <netfilter-devel-owner@vger.kernel.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netfilter-devel-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=fail (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="gsskXkM1"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 40lcF5266zz9s1B
	for <incoming@patchwork.ozlabs.org>;
	Tue, 15 May 2018 22:24:09 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753299AbeEOMYI (ORCPT <rfc822;incoming@patchwork.ozlabs.org>);
	Tue, 15 May 2018 08:24:08 -0400
Received: from mail-pl0-f67.google.com ([209.85.160.67]:33955 "EHLO
	mail-pl0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752421AbeEOMYI (ORCPT
	<rfc822;netfilter-devel@vger.kernel.org>);
	Tue, 15 May 2018 08:24:08 -0400
Received: by mail-pl0-f67.google.com with SMTP id ay10-v6so9337524plb.1
	for <netfilter-devel@vger.kernel.org>;
	Tue, 15 May 2018 05:24:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id;
	bh=R2S6H7jcdL2kfoIKsPJl/xTPugeKaviRroKKyyrLRJU=;
	b=gsskXkM1nAnjgT8knEN4kaJbYenKXrLzw73Ht1XOcDNu1Pr77AmdIDUq/vaKDkJbkM
	8Py9eccOLbuna27GuNQI9s6yu9mSKOVJ0tM5kuVBOzZ+USYClZvZCzPhljywQkvGCY8i
	pS/jiwBP+C0hdg3TREo84ulfIQa0UlSC7hoWJ0Md34cXT31eugf2GuzxRUD/t1UyMITO
	RiE2iEFaZcJToBWDbPAJae5pPCZok1KD6uqY42QJY9KDmf8UY9qXbKskO7mR9QZjFM4L
	BCHdKKgFQNgQr9pqxDDbc+2iqn+yLfLwZLrr8PCjQxL5FQx7kht0qD7EjYlKwZpFUJlq
	ix9g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=R2S6H7jcdL2kfoIKsPJl/xTPugeKaviRroKKyyrLRJU=;
	b=hrz1MuWXR2C8z/OaCwgz6UjlkcmWLtRYFU3JWNUCA9x16Aq/X/02AgZHSUExO0nrXm
	/Rozq6oqfQAyXB0WRcA8Xsz70ngbbJ2VONMNr3GCTDq2EFGMN8oxlYkhv7ol/DANyCeV
	RbLaHdK0seB1X6wPFgb/GjB+lHVAKmnG/v+YlL4IJPmn3fk9Lj1ae9ORqTbJJe0wa2nm
	6CYxjWrQ81gp18SLnBA0x1YlsQk5JfMKOPzdq8Ja6VtJ7/ChuXT7WnW5kUXnlGEn4zEL
	068Z4kEtkenAOATPkte2OmLvu6LOf8ZZcuoP29aDExpPnFlXLMRUVBKWQjRD65WFMnjR
	ltpw==
X-Gm-Message-State: ALKqPwf9kKLlo4PDwK2pk65pgyz4KceqymaBPHkzk86PCH2fOzIwkZoe
	BiOLqoWHNO5BUXUDopzoyWtSDA==
X-Google-Smtp-Source: 
 AB8JxZo1GPpJU8BxI2BONGXlMNjDaz0Dow3nW7+8pWieCXLN+B4/RQau/8h9NEpZrqVpU93T/XaiNw==
X-Received: by 2002:a17:902:7883:: with SMTP id
	q3-v6mr14324892pll.71.1526387047761;
	Tue, 15 May 2018 05:24:07 -0700 (PDT)
Received: from ap-To-be-filled-by-O-E-M.8.8.8.8 ([125.130.197.10])
	by smtp.gmail.com with ESMTPSA id
	x88-v6sm35073410pfj.126.2018.05.15.05.24.06
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Tue, 15 May 2018 05:24:07 -0700 (PDT)
From: Taehee Yoo <ap420073@gmail.com>
To: pablo@netfilter.org, netfilter-devel@vger.kernel.org
Cc: ap420073@gmail.com
Subject: [PATCH nf 4/5] netfilter: nf_tables: use chain info to validate
	type and hook.
Date: Tue, 15 May 2018 21:24:01 +0900
Message-Id: <20180515122401.29480-1-ap420073@gmail.com>
X-Mailer: git-send-email 2.9.3
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk
List-ID: <netfilter-devel.vger.kernel.org>
X-Mailing-List: netfilter-devel@vger.kernel.org

After this patch, the nft_chain_validate_dependency and
nft_chain_validate_hooks use chain information array.
so that these functions can validate both basechain and non-basechain.

Now expr->ops->validate should be called in the nf_tables_validate because
that uses chain information that is allocated in the nf_tables_validate.
But exceptionally, the nf_tables_check_loops can call
that if ops is "immediate".

Now, nft_compat.c uses common validate routine instead of
the nft_compat_chain_validate_dependency.

Signed-off-by: Taehee Yoo <ap420073@gmail.com>
---
 net/netfilter/nf_tables_api.c | 51 +++++++++++-------------------
 net/netfilter/nft_compat.c    | 73 ++++++++++++++-----------------------------
 2 files changed, 42 insertions(+), 82 deletions(-)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 36d8fba..d902ef9 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1899,26 +1899,13 @@ static int nf_tables_newexpr(const struct nft_ctx *ctx,
 	expr->ops = ops;
 	if (ops->init) {
 		err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
-		if (err < 0)
-			goto err1;
-	}
-
-	if (ops->validate) {
-		const struct nft_data *data = NULL;
-
-		err = ops->validate(ctx, expr, &data);
-		if (err < 0)
-			goto err2;
+		if (err < 0) {
+			expr->ops = NULL;
+			return err;
+		}
 	}
 
 	return 0;
-
-err2:
-	if (ops->destroy)
-		ops->destroy(ctx, expr);
-err1:
-	expr->ops = NULL;
-	return err;
 }
 
 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
@@ -6397,13 +6384,12 @@ static const struct nfnetlink_subsystem nf_tables_subsys = {
 int nft_chain_validate_dependency(const struct nft_ctx *ctx,
 				  enum nft_chain_types type)
 {
-	const struct nft_base_chain *basechain;
+	struct net *net = ctx->net;
+	struct nft_chain *chain = ctx->chain;
+	struct nft_chain_info *cinfo = nft_get_chain_info(net, chain);
 
-	if (nft_is_base_chain(ctx->chain)) {
-		basechain = nft_base_chain(ctx->chain);
-		if (basechain->type->type != type)
-			return -EOPNOTSUPP;
-	}
+	if (cinfo->type && cinfo->type != type)
+		return -EOPNOTSUPP;
 	return 0;
 }
 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
@@ -6411,17 +6397,14 @@ EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
 int nft_chain_validate_hooks(const struct nft_ctx *ctx,
 			     unsigned int hook_flags)
 {
-	struct nft_base_chain *basechain;
-
-	if (nft_is_base_chain(ctx->chain)) {
-		basechain = nft_base_chain(ctx->chain);
-
-		if ((1 << basechain->ops.hooknum) & hook_flags)
-			return 0;
+	struct net *net = ctx->net;
+	struct nft_chain *chain = ctx->chain;
+	struct nft_chain_info *cinfo = nft_get_chain_info(net, chain);
 
+	if (!hook_flags)
+		return 0;
+	if (cinfo->hooknum & ~hook_flags)
 		return -EOPNOTSUPP;
-	}
-
 	return 0;
 }
 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
@@ -6479,12 +6462,14 @@ static int nf_tables_check_loops(const struct nft_ctx *ctx,
 
 			if (!expr->ops->validate)
 				continue;
+			if (strcmp(expr->ops->type->name, "immediate"))
+				continue;
 
 			err = expr->ops->validate(ctx, expr, &data);
 			if (err < 0)
 				return err;
 
-			if (data == NULL)
+			if (!data)
 				continue;
 
 			switch (data->verdict.code) {
diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
index 1d99a1ef..c7aad9c 100644
--- a/net/netfilter/nft_compat.c
+++ b/net/netfilter/nft_compat.c
@@ -54,23 +54,6 @@ static bool nft_xt_put(struct nft_xt *xt)
 	return false;
 }
 
-static int nft_compat_chain_validate_dependency(const char *tablename,
-						const struct nft_chain *chain)
-{
-	const struct nft_base_chain *basechain;
-
-	if (!tablename ||
-	    !nft_is_base_chain(chain))
-		return 0;
-
-	basechain = nft_base_chain(chain);
-	if (strcmp(tablename, "nat") == 0 &&
-	    basechain->type->type != NFT_CHAIN_T_NAT)
-		return -EINVAL;
-
-	return 0;
-}
-
 union nft_entry {
 	struct ipt_entry e4;
 	struct ip6t_entry e6;
@@ -311,24 +294,20 @@ static int nft_target_validate(const struct nft_ctx *ctx,
 			       const struct nft_data **data)
 {
 	struct xt_target *target = expr->ops->data;
-	unsigned int hook_mask = 0;
-	int ret;
-
-	if (nft_is_base_chain(ctx->chain)) {
-		const struct nft_base_chain *basechain =
-						nft_base_chain(ctx->chain);
-		const struct nf_hook_ops *ops = &basechain->ops;
+	enum nft_chain_types type;
+	int err;
 
-		hook_mask = 1 << ops->hooknum;
-		if (target->hooks && !(hook_mask & target->hooks))
-			return -EINVAL;
+	if (!target->table)
+		return 0;
+	if (!strcmp(target->table, "nat"))
+		type = NFT_CHAIN_T_NAT;
+	else
+		type = NFT_CHAIN_T_DEFAULT;
 
-		ret = nft_compat_chain_validate_dependency(target->table,
-							   ctx->chain);
-		if (ret < 0)
-			return ret;
-	}
-	return 0;
+	err = nft_chain_validate_dependency(ctx, type);
+	if (err < 0)
+		return err;
+	return nft_chain_validate_hooks(ctx, target->hooks);
 }
 
 static void __nft_match_eval(const struct nft_expr *expr,
@@ -558,24 +537,20 @@ static int nft_match_validate(const struct nft_ctx *ctx,
 			      const struct nft_data **data)
 {
 	struct xt_match *match = expr->ops->data;
-	unsigned int hook_mask = 0;
-	int ret;
-
-	if (nft_is_base_chain(ctx->chain)) {
-		const struct nft_base_chain *basechain =
-						nft_base_chain(ctx->chain);
-		const struct nf_hook_ops *ops = &basechain->ops;
+	enum nft_chain_types type;
+	int err;
 
-		hook_mask = 1 << ops->hooknum;
-		if (match->hooks && !(hook_mask & match->hooks))
-			return -EINVAL;
+	if (!match->table)
+		return 0;
+	if (!strcmp(match->table, "nat"))
+		type = NFT_CHAIN_T_NAT;
+	else
+		type = NFT_CHAIN_T_DEFAULT;
 
-		ret = nft_compat_chain_validate_dependency(match->table,
-							   ctx->chain);
-		if (ret < 0)
-			return ret;
-	}
-	return 0;
+	err = nft_chain_validate_dependency(ctx, type);
+	if (err < 0)
+		return err;
+	return nft_chain_validate_hooks(ctx, match->hooks);
 }
 
 static int

From patchwork Tue May 15 12:24:14 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Taehee Yoo <ap420073@gmail.com>
X-Patchwork-Id: 913603
X-Patchwork-Delegate: pablo@netfilter.org
Return-Path: <netfilter-devel-owner@vger.kernel.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netfilter-devel-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=fail (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="G1qSR9Jc"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 40lcFL5JRGz9ryk
	for <incoming@patchwork.ozlabs.org>;
	Tue, 15 May 2018 22:24:22 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753268AbeEOMYW (ORCPT <rfc822;incoming@patchwork.ozlabs.org>);
	Tue, 15 May 2018 08:24:22 -0400
Received: from mail-pg0-f65.google.com ([74.125.83.65]:34785 "EHLO
	mail-pg0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752421AbeEOMYV (ORCPT
	<rfc822;netfilter-devel@vger.kernel.org>);
	Tue, 15 May 2018 08:24:21 -0400
Received: by mail-pg0-f65.google.com with SMTP id k2-v6so1378546pgc.1
	for <netfilter-devel@vger.kernel.org>;
	Tue, 15 May 2018 05:24:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id;
	bh=ieDzY3sCjrMT2he00aCrcURRpQ7Pzzmr0JBl6L2fHHk=;
	b=G1qSR9JcwDanJZzEIYo0L8bCrMzAJdUzUwCNOFCuSBdYQ1yD+08ygXRSjbc/+toVag
	MBrflcU02PaqQK3Cfvle3JzX4H/Q+uzZ9IMQ/r4eEgQeMC9HtJLGW3YBN/Jf8KzGxODj
	lheJ5e7XZPCLz8sWgGoDdRjj+DbZdENPrMslHg5snC5mj4Ci39gpLqrvLw4Cb1zjRsRV
	rTf3YXx/E41C333EUN0wbxdck0U4EN4scOncQgqBFQwCVQKFIV1aa3VZZ5NJd3zXjDn/
	3vXMtmOsF690lv1eqo2h1Znu3E8zgrx1ndNoOopYyEbwPwJNU6EbXqqUareBRC+sezt+
	9TDg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=ieDzY3sCjrMT2he00aCrcURRpQ7Pzzmr0JBl6L2fHHk=;
	b=szWdJIgiVlXRnBY6rETmVZU5uSM9CyZ+hS0gJzi2JKdUU0/RFjBtzMX9GN6RlUtHCQ
	Ce5eqsXZl1+HQMuojcd/2gIxb27HZFcw/s6qVzGHR76Ycf/RIdkjxEcG5FecWNmvvTbj
	mFwJASK1Q5CKBF2+54ov3E9woUz/y46fXPR2/86yGQNQm02Kz2meQJHiY3+8t8GWgvDP
	B53ZqMJ3vUcMYeYJrT/Rudl8bN/A7JPXEETOpkPc6dW70ri5hDeOuRodPyAkvGVrhdra
	X4dnQN0+1b16QcJW6KSqPGYozanT9JRrWd+HCSOHz5mWRnNpdUeBdbaeBbXI3SYC7b7j
	96ew==
X-Gm-Message-State: ALKqPwdVv+VDMR91dXsvzKZPvXezWvO3sPNV3pFRD/N4d6nnOT1NQgWq
	7qGmaB4XR99lufSO/TO/ndgs6g==
X-Google-Smtp-Source: 
 AB8JxZqHXZodT2MgLr3nLwG9mQXOn2DdYy+wPqgtdmSzj+wh2BB1yn8ddAPPaRtNfrAGtNzGukX4FQ==
X-Received: by 2002:a62:fb14:: with SMTP id
	x20-v6mr14929370pfm.48.1526387060948;
	Tue, 15 May 2018 05:24:20 -0700 (PDT)
Received: from ap-To-be-filled-by-O-E-M.8.8.8.8 ([125.130.197.10])
	by smtp.gmail.com with ESMTPSA id
	r76-v6sm22723009pfl.1.2018.05.15.05.24.18
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Tue, 15 May 2018 05:24:20 -0700 (PDT)
From: Taehee Yoo <ap420073@gmail.com>
To: pablo@netfilter.org, netfilter-devel@vger.kernel.org
Cc: ap420073@gmail.com
Subject: [PATCH nf 5/5] netfilter: nf_tables: add call validate callback.
Date: Tue, 15 May 2018 21:24:14 +0900
Message-Id: <20180515122414.29570-1-ap420073@gmail.com>
X-Mailer: git-send-email 2.9.3
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk
List-ID: <netfilter-devel.vger.kernel.org>
X-Mailing-List: netfilter-devel@vger.kernel.org

A validate callback is called just before calling a ->commit callback.
If it is failed, ->abort is called.

Signed-off-by: Taehee Yoo <ap420073@gmail.com>
---
 net/netfilter/nfnetlink.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index 03ead8a..b9b6401 100644
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@@ -441,8 +441,21 @@ static void nfnetlink_rcv_batch(struct sk_buff *skb, struct nlmsghdr *nlh,
 		kfree_skb(skb);
 		goto replay;
 	} else if (status == NFNL_BATCH_DONE) {
+		if (ss->validate) {
+			err = ss->validate(net);
+			if (err < 0) {
+				if (nfnl_err_add(&err_list, nlmsg_hdr(oskb),
+						 err, &extack) < 0) {
+					nfnl_err_reset(&err_list);
+					netlink_ack(oskb, nlmsg_hdr(oskb),
+						    -ENOMEM, NULL);
+				}
+				goto abort;
+			}
+		}
 		ss->commit(net, oskb);
 	} else {
+abort:
 		ss->abort(net, oskb);
 	}