| Message ID | 20170504123417.22088-1-phil@nwl.cc |
|---|---|
| State | Not Applicable |
| Delegated to: | Pablo Neira |
| Headers | show |
On Thu, May 04, 2017 at 02:34:17PM +0200, Phil Sutter wrote: > This allows user space to reliably match kernel generated handles with > added rules for reference. > > Signed-off-by: Phil Sutter <phil@nwl.cc> > --- > net/netfilter/nf_tables_api.c | 19 ++++++++++++++++++- > 1 file changed, 18 insertions(+), 1 deletion(-) > > diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c > index 1c6482d2c4dcf..71bce5d024409 100644 > --- a/net/netfilter/nf_tables_api.c > +++ b/net/netfilter/nf_tables_api.c > @@ -2142,6 +2142,7 @@ static int nf_tables_newrule(struct net *net, struct sock *nlsk, > struct nft_userdata *udata; > struct nft_trans *trans = NULL; > struct nft_expr *expr; > + struct sk_buff *skb2; > struct nft_ctx ctx; > struct nlattr *tmp; > unsigned int size, i, n, ulen = 0, usize = 0; > @@ -2281,8 +2282,24 @@ static int nf_tables_newrule(struct net *net, struct sock *nlsk, > goto err3; > } > chain->use++; > - return 0; > > + skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL); > + if (!skb2) { > + err = -ENOMEM; > + goto err4; > + } > + err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid, > + nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0, > + nfmsg->nfgen_family, table, chain, rule); > + if (err < 0) > + goto err5; > + > + return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid); You can achieve this already via NLM_F_ECHO. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Thu, May 04, 2017 at 03:35:44PM +0200, Pablo Neira Ayuso wrote: > On Thu, May 04, 2017 at 02:34:17PM +0200, Phil Sutter wrote: > > This allows user space to reliably match kernel generated handles with > > added rules for reference. > > > > Signed-off-by: Phil Sutter <phil@nwl.cc> > > --- > > net/netfilter/nf_tables_api.c | 19 ++++++++++++++++++- > > 1 file changed, 18 insertions(+), 1 deletion(-) > > > > diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c > > index 1c6482d2c4dcf..71bce5d024409 100644 > > --- a/net/netfilter/nf_tables_api.c > > +++ b/net/netfilter/nf_tables_api.c > > @@ -2142,6 +2142,7 @@ static int nf_tables_newrule(struct net *net, struct sock *nlsk, > > struct nft_userdata *udata; > > struct nft_trans *trans = NULL; > > struct nft_expr *expr; > > + struct sk_buff *skb2; > > struct nft_ctx ctx; > > struct nlattr *tmp; > > unsigned int size, i, n, ulen = 0, usize = 0; > > @@ -2281,8 +2282,24 @@ static int nf_tables_newrule(struct net *net, struct sock *nlsk, > > goto err3; > > } > > chain->use++; > > - return 0; > > > > + skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL); > > + if (!skb2) { > > + err = -ENOMEM; > > + goto err4; > > + } > > + err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid, > > + nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0, > > + nfmsg->nfgen_family, table, chain, rule); > > + if (err < 0) > > + goto err5; > > + > > + return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid); > > You can achieve this already via NLM_F_ECHO. Oh, thanks for the pointer! Cheers, Phil -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 1c6482d2c4dcf..71bce5d024409 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -2142,6 +2142,7 @@ static int nf_tables_newrule(struct net *net, struct sock *nlsk, struct nft_userdata *udata; struct nft_trans *trans = NULL; struct nft_expr *expr; + struct sk_buff *skb2; struct nft_ctx ctx; struct nlattr *tmp; unsigned int size, i, n, ulen = 0, usize = 0; @@ -2281,8 +2282,24 @@ static int nf_tables_newrule(struct net *net, struct sock *nlsk, goto err3; } chain->use++; - return 0; + skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL); + if (!skb2) { + err = -ENOMEM; + goto err4; + } + err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid, + nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0, + nfmsg->nfgen_family, table, chain, rule); + if (err < 0) + goto err5; + + return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid); + +err5: + kfree_skb(skb2); +err4: + chain->use--; err3: list_del_rcu(&rule->list); err2:
This allows user space to reliably match kernel generated handles with added rules for reference. Signed-off-by: Phil Sutter <phil@nwl.cc> --- net/netfilter/nf_tables_api.c | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-)