From patchwork Fri May 3 19:50:41 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1931176 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=CO9P9BYx; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:45e3:2400::1; helo=sv.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-2089-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org [IPv6:2604:1380:45e3:2400::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VWLyg2JLqz20fW for ; Sat, 4 May 2024 05:51:07 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 02E49283EE2 for ; Fri, 3 May 2024 19:51:06 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id B2226158DB8; Fri, 3 May 2024 19:50:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="CO9P9BYx" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 35E43158D98 for ; Fri, 3 May 2024 19:50:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714765849; cv=none; b=n9LzBD4MNFWbOfcUyItYwwVlRokFWtc8Zp3oEmQkRL7tUlN3LxrdHnX4u7KQjaiiapltzfTHQMQ/4KbEAZk9D31EkmJHX/5O2WK039QQ5uQTt/L/ehIwbJ/w29j3COIsT2ES1R8GBylP47OlFnIf2sWB0TYfnwg6i6pStqMT/tk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714765849; c=relaxed/simple; bh=6GFCKN9lXUEIgKCHJnnYf5A+eb/HJF4wFev+qactQr4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=PrkwCCe7JB/xhEXaHU/pe1d6pU9Depd0ePOd/R9zaGmhNKwkHyQJIfV+90hPZ+Y7OQuSlfeB7p0HoxI/6kif37Wg2UjboNqH0cnTExb+S2a4NhWC/8duYSIjJ4e+b/e5KxSFex94lngol6kwHOAZiFm54RGe1AZvSUKHmj4ocNk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=CO9P9BYx; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=7pciD9Q7CVzApqJjvV7RzRhMQkqxQjFhYoTFcjoZQQc=; b=CO9P9BYxLKeKUXtQ63okLz6M02 6KYVgMojIVgdORi0Bgo+CpVRKkGpeMMyge/X0Zit1nQW0XQxUQGvVleVLMrDt/VDdDgZTfGZHsqv/ t+c3fxc7BBeKC3xbPfuxS1YuPirp2MDcy5z8IfdjtmutMGo/HMMlEdNLBj8QJDexQn++u2vpTaxqJ NMutG/GXgzzhdqfDQ5V8ld5VDhzeAFLv4wuc6SH26P6hzpEiQrG5tbhSdGEC3rffoeQ7+c+pr5oTJ Nx0CSq5OJS+qLIqApsjz6bWWkZuXtTZ0mJHLOcBqpAZpb4UFuRcmAagVdlFn3liXau3EJ8oAulvjn xflvd0oA==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97.1) (envelope-from ) id 1s2yvd-000000007E1-24Ry; Fri, 03 May 2024 21:50:45 +0200 From: Phil Sutter To: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org, Florian Westphal , Thomas Haller Subject: [nf-next PATCH 1/5] netfilter: nf_tables: Store user-defined hook ifname Date: Fri, 3 May 2024 21:50:41 +0200 Message-ID: <20240503195045.6934-2-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240503195045.6934-1-phil@nwl.cc> References: <20240503195045.6934-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 In order to support dynamic interface binding, the name must be stored separately. Also store the attribute length, it may serve to implement simple wildcards (eth* for instance). Also use the stored name when filling hook's NFTA_DEVICE_NAME attribute. This avoids at least inadvertent changes in stored rulesets if an interface is renamed at run-time. Compare hooks by this stored interface name instead of the 'ops.dev' pointer. Also prerequisite work for dynamic interface binding. Signed-off-by: Phil Sutter --- include/net/netfilter/nf_tables.h | 2 ++ net/netfilter/nf_tables_api.c | 19 +++++++++++-------- 2 files changed, 13 insertions(+), 8 deletions(-) diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h index 3f1ed467f951..3dec239bdb22 100644 --- a/include/net/netfilter/nf_tables.h +++ b/include/net/netfilter/nf_tables.h @@ -1183,6 +1183,8 @@ struct nft_hook { struct list_head list; struct nf_hook_ops ops; struct rcu_head rcu; + char ifname[IFNAMSIZ]; + u8 ifnamelen; }; /** diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 84fa25305b4f..4f64dbac5abc 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -1799,15 +1799,16 @@ static int nft_dump_basechain_hook(struct sk_buff *skb, int family, if (!first) first = hook; - if (nla_put_string(skb, NFTA_DEVICE_NAME, - hook->ops.dev->name)) + if (nla_put(skb, NFTA_DEVICE_NAME, + hook->ifnamelen, hook->ifname)) goto nla_put_failure; n++; } nla_nest_end(skb, nest_devs); if (n == 1 && - nla_put_string(skb, NFTA_HOOK_DEV, first->ops.dev->name)) + nla_put(skb, NFTA_HOOK_DEV, + first->ifnamelen, first->ifname)) goto nla_put_failure; } nla_nest_end(skb, nest); @@ -2118,7 +2119,6 @@ static struct nft_hook *nft_netdev_hook_alloc(struct net *net, const struct nlattr *attr) { struct net_device *dev; - char ifname[IFNAMSIZ]; struct nft_hook *hook; int err; @@ -2128,12 +2128,13 @@ static struct nft_hook *nft_netdev_hook_alloc(struct net *net, goto err_hook_alloc; } - nla_strscpy(ifname, attr, IFNAMSIZ); + nla_strscpy(hook->ifname, attr, IFNAMSIZ); + hook->ifnamelen = nla_len(attr); /* nf_tables_netdev_event() is called under rtnl_mutex, this is * indirectly serializing all the other holders of the commit_mutex with * the rtnl_mutex. */ - dev = __dev_get_by_name(net, ifname); + dev = __dev_get_by_name(net, hook->ifname); if (!dev) { err = -ENOENT; goto err_hook_dev; @@ -2154,7 +2155,8 @@ static struct nft_hook *nft_hook_list_find(struct list_head *hook_list, struct nft_hook *hook; list_for_each_entry(hook, hook_list, list) { - if (this->ops.dev == hook->ops.dev) + if (hook->ifnamelen == this->ifnamelen && + !strncmp(hook->ifname, this->ifname, hook->ifnamelen)) return hook; } @@ -8908,7 +8910,8 @@ static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net, hook_list = &flowtable->hook_list; list_for_each_entry_rcu(hook, hook_list, list) { - if (nla_put_string(skb, NFTA_DEVICE_NAME, hook->ops.dev->name)) + if (nla_put(skb, NFTA_DEVICE_NAME, + hook->ifnamelen, hook->ifname)) goto nla_put_failure; } nla_nest_end(skb, nest_devs); From patchwork Fri May 3 19:50:42 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1931175 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=lOtywLOM; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=139.178.88.99; helo=sv.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-2088-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org [139.178.88.99]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VWLyf605gz1yP2 for ; Sat, 4 May 2024 05:51:06 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 3DE45283ED6 for ; Fri, 3 May 2024 19:51:05 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id A3F02158D9C; Fri, 3 May 2024 19:50:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="lOtywLOM" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A39EC158D89 for ; Fri, 3 May 2024 19:50:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714765849; cv=none; b=aoYv1bF3GJUvQMtp1Mp+3LHlLc1qDcExA/p4743CxUuLjdtVsDq4+uwWpOaqDcMyfTtruIXAN6hESAyNH+88wId9SWIwzHjjB7CuqAz9AY2aLTD0uC89mHaENYaIJL6PeTV/U/GnZFyJZpTQL/v6Gh8B3m82xW6YeN1PebzPDUw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714765849; c=relaxed/simple; bh=XuZgZe1u+dIWHZrKq9e8/8UN8iMQPYciGYSmmoE3YZQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=rWOVrAdsc/u4lDrvPGovGRc3oAI/TNmAnsuFn4MIII/iWDszcwjJQ7yUG98kT2JnjZk0AJ8PN5wGrwYkJBR5wRVNED/WFKhL9U7+QHNZEFPqwxK1arVwkU/Vgs5UdVsa/US4OC7gApQWu+wq0iEU6SDcPNKyVqPMyoKM/Ajnmj4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=lOtywLOM; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=AK++REY20x2HUNxL9jDSx1I00rmLnV1e40Qdi3dH2qo=; b=lOtywLOMJLI0p4QfBD7l2K98+s 0Qch34eijdME4aHRWOWWSF7gea8GmA3d+43T41ShCHOU3hbbc94dKURU4eKZVDo+5tqcK4/SCNxaJ MdpLqKxVwvariXFYfOlusMroMFrsCaQb0eO+a+KhrRtWws/Bp2RS9gfCJk8kJXT0jdf8Cbd717Phy Xf3qRWnVXwrfGcgUlC/R9L+UzHB+Ook9fnWcBIUiSq+J5kL0NYUb3Wt5VgmvGyBRU/KjjYYeoVLGH sj4OAgy+9pxTupBZBVCBkKBGhrDDoANYbaAdWoSAsjGfw45P50uVLYTku6He3sM1iRo5Ue7RVfQBx kEH/ue8w==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97.1) (envelope-from ) id 1s2yvc-000000007Du-40lL; Fri, 03 May 2024 21:50:44 +0200 From: Phil Sutter To: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org, Florian Westphal , Thomas Haller Subject: [nf-next PATCH 2/5] netfilter: nf_tables: Relax hook interface binding Date: Fri, 3 May 2024 21:50:42 +0200 Message-ID: <20240503195045.6934-3-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240503195045.6934-1-phil@nwl.cc> References: <20240503195045.6934-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 When creating a new flowtable or netdev-family chain, accept that the devices to bind to may not exist and proceed to create a stub hook. Such inactive hooks are identified by 'ops.dev' pointer being NULL, ignore them for practical purposes. When reacting upon a vanishing interface, merely deactivate the hook instead of removing it from the list. Also leave netdev chains in place even if no active hooks remain. In combination with externally stored interface names, this stabilizes ruleset dumps with regard to disappearing interfaces. Signed-off-by: Phil Sutter --- include/net/netfilter/nf_tables.h | 2 - net/netfilter/nf_tables_api.c | 63 +++++++++++++------------------ net/netfilter/nft_chain_filter.c | 29 +++----------- 3 files changed, 33 insertions(+), 61 deletions(-) diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h index 3dec239bdb22..9cbef71f0462 100644 --- a/include/net/netfilter/nf_tables.h +++ b/include/net/netfilter/nf_tables.h @@ -1220,8 +1220,6 @@ static inline bool nft_is_base_chain(const struct nft_chain *chain) return chain->flags & NFT_CHAIN_BASE; } -int __nft_release_basechain(struct nft_ctx *ctx); - unsigned int nft_do_chain(struct nft_pktinfo *pkt, void *priv); static inline bool nft_use_inc(u32 *use) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 4f64dbac5abc..35990fbed444 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -282,6 +282,9 @@ static int nft_netdev_register_hooks(struct net *net, j = 0; list_for_each_entry(hook, hook_list, list) { + if (!hook->ops.dev) + continue; + err = nf_register_net_hook(net, &hook->ops); if (err < 0) goto err_register; @@ -292,6 +295,9 @@ static int nft_netdev_register_hooks(struct net *net, err_register: list_for_each_entry(hook, hook_list, list) { + if (!hook->ops.dev) + continue; + if (j-- <= 0) break; @@ -307,7 +313,10 @@ static void nft_netdev_unregister_hooks(struct net *net, struct nft_hook *hook, *next; list_for_each_entry_safe(hook, next, hook_list, list) { - nf_unregister_net_hook(net, &hook->ops); + if (hook->ops.dev) { + nf_unregister_net_hook(net, &hook->ops); + hook->ops.dev = NULL; + } if (release_netdev) { list_del(&hook->list); kfree_rcu(hook, rcu); @@ -2118,7 +2127,6 @@ void nf_tables_chain_destroy(struct nft_ctx *ctx) static struct nft_hook *nft_netdev_hook_alloc(struct net *net, const struct nlattr *attr) { - struct net_device *dev; struct nft_hook *hook; int err; @@ -2134,17 +2142,10 @@ static struct nft_hook *nft_netdev_hook_alloc(struct net *net, * indirectly serializing all the other holders of the commit_mutex with * the rtnl_mutex. */ - dev = __dev_get_by_name(net, hook->ifname); - if (!dev) { - err = -ENOENT; - goto err_hook_dev; - } - hook->ops.dev = dev; + hook->ops.dev = __dev_get_by_name(net, hook->ifname); return hook; -err_hook_dev: - kfree(hook); err_hook_alloc: return ERR_PTR(err); } @@ -8452,6 +8453,9 @@ static void nft_unregister_flowtable_hook(struct net *net, struct nft_flowtable *flowtable, struct nft_hook *hook) { + if (!hook->ops.dev) + return; + nf_unregister_net_hook(net, &hook->ops); flowtable->data.type->setup(&flowtable->data, hook->ops.dev, FLOW_BLOCK_UNBIND); @@ -8464,7 +8468,8 @@ static void __nft_unregister_flowtable_net_hooks(struct net *net, struct nft_hook *hook, *next; list_for_each_entry_safe(hook, next, hook_list, list) { - nf_unregister_net_hook(net, &hook->ops); + if (hook->ops.dev) + nf_unregister_net_hook(net, &hook->ops); if (release_netdev) { list_del(&hook->list); kfree_rcu(hook, rcu); @@ -8488,6 +8493,9 @@ static int nft_register_flowtable_net_hooks(struct net *net, int err, i = 0; list_for_each_entry(hook, hook_list, list) { + if (!hook->ops.dev) + continue; + list_for_each_entry(ft, &table->flowtables, list) { if (!nft_is_active_next(net, ft)) continue; @@ -8522,6 +8530,9 @@ static int nft_register_flowtable_net_hooks(struct net *net, err_unregister_net_hooks: list_for_each_entry_safe(hook, next, hook_list, list) { + if (!hook->ops.dev) + continue; + if (i-- <= 0) break; @@ -9117,8 +9128,10 @@ static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable) flowtable->data.type->free(&flowtable->data); list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) { - flowtable->data.type->setup(&flowtable->data, hook->ops.dev, - FLOW_BLOCK_UNBIND); + if (hook->ops.dev) + flowtable->data.type->setup(&flowtable->data, + hook->ops.dev, + FLOW_BLOCK_UNBIND); list_del_rcu(&hook->list); kfree(hook); } @@ -9164,8 +9177,7 @@ static void nft_flowtable_event(unsigned long event, struct net_device *dev, /* flow_offload_netdev_event() cleans up entries for us. */ nft_unregister_flowtable_hook(dev_net(dev), flowtable, hook); - list_del_rcu(&hook->list); - kfree_rcu(hook, rcu); + hook->ops.dev = NULL; break; } } @@ -11406,27 +11418,6 @@ int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data, } EXPORT_SYMBOL_GPL(nft_data_dump); -int __nft_release_basechain(struct nft_ctx *ctx) -{ - struct nft_rule *rule, *nr; - - if (WARN_ON(!nft_is_base_chain(ctx->chain))) - return 0; - - nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain); - list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) { - list_del(&rule->list); - nft_use_dec(&ctx->chain->use); - nf_tables_rule_release(ctx, rule); - } - nft_chain_del(ctx->chain); - nft_use_dec(&ctx->table->use); - nf_tables_chain_destroy(ctx); - - return 0; -} -EXPORT_SYMBOL_GPL(__nft_release_basechain); - static void __nft_release_hook(struct net *net, struct nft_table *table) { struct nft_flowtable *flowtable; diff --git a/net/netfilter/nft_chain_filter.c b/net/netfilter/nft_chain_filter.c index 274b6f7e6bb5..ddb438bc2afd 100644 --- a/net/netfilter/nft_chain_filter.c +++ b/net/netfilter/nft_chain_filter.c @@ -322,35 +322,18 @@ static void nft_netdev_event(unsigned long event, struct net_device *dev, struct nft_ctx *ctx) { struct nft_base_chain *basechain = nft_base_chain(ctx->chain); - struct nft_hook *hook, *found = NULL; - int n = 0; + struct nft_hook *hook; if (event != NETDEV_UNREGISTER) return; list_for_each_entry(hook, &basechain->hook_list, list) { - if (hook->ops.dev == dev) - found = hook; - - n++; - } - if (!found) - return; - - if (n > 1) { - nf_unregister_net_hook(ctx->net, &found->ops); - list_del_rcu(&found->list); - kfree_rcu(found, rcu); - return; + if (hook->ops.dev == dev) { + nf_unregister_net_hook(ctx->net, &hook->ops); + hook->ops.dev = NULL; + break; + } } - - /* UNREGISTER events are also happening on netns exit. - * - * Although nf_tables core releases all tables/chains, only this event - * handler provides guarantee that hook->ops.dev is still accessible, - * so we cannot skip exiting net namespaces. - */ - __nft_release_basechain(ctx); } static int nf_tables_netdev_event(struct notifier_block *this, From patchwork Fri May 3 19:50:43 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1931177 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=bTq/tZ5s; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:45d1:ec00::1; helo=ny.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-2090-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org [IPv6:2604:1380:45d1:ec00::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VWLyl24qqz1yP2 for ; Sat, 4 May 2024 05:51:11 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 6F66A1C22AA2 for ; Fri, 3 May 2024 19:51:08 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id EB084158DBB; Fri, 3 May 2024 19:50:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="bTq/tZ5s" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9C8AC158D99 for ; Fri, 3 May 2024 19:50:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714765849; cv=none; b=pEHWeCrswquiSIMsNvtvsOqO9kAfmSbrH7/oljbALZgcDOOSocYhx+8weA1huAvbwgS4SqA8xlV/aGv1xfTiNJztJxeBNE4MKVisQhw4s0vfSlXsWeyFEzMifgjYUFPBv2GFoV0UdZjFnLel5upMDmmxNJC2AH6/KcyOBizI8z8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714765849; c=relaxed/simple; bh=MZdB60H2kZngb/cogNlK7WnvnxuSyLklaO1wlBH8s/E=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=s6DhDgVn+LNWnFBlDeG+sWB7ThuowVkfYH3KEEJANlgObCi4uJ4WqCe/4/KsDm86ENTvKyK0PldZft8frOk5eUBqXB5ykQDyFKz/fyRb0R6eKZDa8cerfBm3bQz/BHvya4ejl3pvW0NZzhUetg4TW8BBq9Lx7ZrxQdF5szsZ7a8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=bTq/tZ5s; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=cpWfe9vKbz0tfT0wxz+WT0dP/KNww6btAw6ugLcx6U4=; b=bTq/tZ5stN9NuY+WM/ViA9u2an wetvCvZu39ARSixZWI3N12gAWZOoHQn1vRdgCfCzKvkWaeg7IeD07GnGnw2AHDxMLdtiPjyr3N6eA AbuYVPMT3PUE3GnAoKLBmBaAbpo18AWW22RpbwaU3pqH8ufz6UrV7WLhcJlSDU31uaegXFM6IqP0H BQL07jhVfqanLVC0GGAwlbmbmSgJL5pl3p5UZAfHXXBtogZTgHm8ofZG66o/v5//qn6Z87Z27O30U bNxrwLqeM+gE5DXccOG4WE4GBo/ibJ6xZQodGscnT/fVZAIS0CbL799k/OzRbcpxOiC94TRAygGPD PdvP/TRw==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97.1) (envelope-from ) id 1s2yve-000000007E8-0AHe; Fri, 03 May 2024 21:50:46 +0200 From: Phil Sutter To: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org, Florian Westphal , Thomas Haller Subject: [nf-next PATCH 3/5] netfilter: nf_tables: Report active interfaces to user space Date: Fri, 3 May 2024 21:50:43 +0200 Message-ID: <20240503195045.6934-4-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240503195045.6934-1-phil@nwl.cc> References: <20240503195045.6934-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Since netdev family chains and flowtables now report the interfaces they were created for irrespective of their existence, introduce new netlink attributes holding the currently active set of interfaces. Signed-off-by: Phil Sutter --- include/uapi/linux/netfilter/nf_tables.h | 6 +++++- net/netfilter/nf_tables_api.c | 25 ++++++++++++++++++++++++ 2 files changed, 30 insertions(+), 1 deletion(-) diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h index aa4094ca2444..adcac6ee619d 100644 --- a/include/uapi/linux/netfilter/nf_tables.h +++ b/include/uapi/linux/netfilter/nf_tables.h @@ -164,6 +164,7 @@ enum nft_list_attributes { * @NFTA_HOOK_PRIORITY: netfilter hook priority (NLA_U32) * @NFTA_HOOK_DEV: netdevice name (NLA_STRING) * @NFTA_HOOK_DEVS: list of netdevices (NLA_NESTED) + * @NFTA_HOOK_ACT_DEVS: list of active netdevices (NLA_NESTED) */ enum nft_hook_attributes { NFTA_HOOK_UNSPEC, @@ -171,6 +172,7 @@ enum nft_hook_attributes { NFTA_HOOK_PRIORITY, NFTA_HOOK_DEV, NFTA_HOOK_DEVS, + NFTA_HOOK_ACT_DEVS, __NFTA_HOOK_MAX }; #define NFTA_HOOK_MAX (__NFTA_HOOK_MAX - 1) @@ -1717,13 +1719,15 @@ enum nft_flowtable_attributes { * * @NFTA_FLOWTABLE_HOOK_NUM: netfilter hook number (NLA_U32) * @NFTA_FLOWTABLE_HOOK_PRIORITY: netfilter hook priority (NLA_U32) - * @NFTA_FLOWTABLE_HOOK_DEVS: input devices this flow table is bound to (NLA_NESTED) + * @NFTA_FLOWTABLE_HOOK_DEVS: input devices this flow table is configured for (NLA_NESTED) + * @NFTA_FLOWTABLE_HOOK_ACT_DEVS: input devices this flow table is currently bound to (NLA_NESTED) */ enum nft_flowtable_hook_attributes { NFTA_FLOWTABLE_HOOK_UNSPEC, NFTA_FLOWTABLE_HOOK_NUM, NFTA_FLOWTABLE_HOOK_PRIORITY, NFTA_FLOWTABLE_HOOK_DEVS, + NFTA_FLOWTABLE_HOOK_ACT_DEVS, __NFTA_FLOWTABLE_HOOK_MAX }; #define NFTA_FLOWTABLE_HOOK_MAX (__NFTA_FLOWTABLE_HOOK_MAX - 1) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 35990fbed444..87576accc2b2 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -1819,6 +1819,18 @@ static int nft_dump_basechain_hook(struct sk_buff *skb, int family, nla_put(skb, NFTA_HOOK_DEV, first->ifnamelen, first->ifname)) goto nla_put_failure; + + nest_devs = nla_nest_start_noflag(skb, NFTA_HOOK_ACT_DEVS); + if (!nest_devs) + goto nla_put_failure; + + list_for_each_entry(hook, hook_list, list) { + if (hook->ops.dev && + nla_put_string(skb, NFTA_DEVICE_NAME, + hook->ops.dev->name)) + goto nla_put_failure; + } + nla_nest_end(skb, nest_devs); } nla_nest_end(skb, nest); @@ -8926,6 +8938,19 @@ static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net, goto nla_put_failure; } nla_nest_end(skb, nest_devs); + + nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_ACT_DEVS); + if (!nest_devs) + goto nla_put_failure; + + list_for_each_entry_rcu(hook, hook_list, list) { + if (hook->ops.dev && + nla_put_string(skb, NFTA_DEVICE_NAME, + hook->ops.dev->name)) + goto nla_put_failure; + } + nla_nest_end(skb, nest_devs); + nla_nest_end(skb, nest); nlmsg_end(skb, nlh); From patchwork Fri May 3 19:50:44 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1931178 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=JzWLZgal; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=147.75.80.249; helo=am.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-2091-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from am.mirrors.kernel.org (am.mirrors.kernel.org [147.75.80.249]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VWLyn2rxvz1yP2 for ; Sat, 4 May 2024 05:51:13 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id C65AE1F23017 for ; Fri, 3 May 2024 19:51:10 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 213C9158D99; Fri, 3 May 2024 19:50:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="JzWLZgal" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A3A2E158D8B for ; Fri, 3 May 2024 19:50:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714765849; cv=none; b=LgXIz/0LvRV9h9DkFhjTF4PL2M4Fmo69JhqNmy0Qp/vJsKMhiC+fD+bWeGI0BlGW2cuX1yNWAyrXRFqIX3dqUJ1U9qOUJdP2KCvTQGHLjjNHLbaP1Z1GXr8u1yFeVxJ3bTI8tSHxR9Vg+rHmS6/8FApMCOq9o8XpP1PyrJWai8E= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714765849; c=relaxed/simple; bh=j59nak0IDgdzpdMDF0bFPKxKu9v5/g0eSo/kTiP9lRI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=AoAmu/Ok5C6AYJ3YzMlJUu6dIHFf68R18w5OP3vqHEwWADiRLsnpD6PtwbM2PlgWD+cidkJ1l9JZiTCsjJxRaeWKJ+ZU6eXxxvBQzcKoygW7G2BcaLaw1FOtqaKpSh0QWv0cvEjUtABrr8frzqWrM5l4RkYJo5D4N4I2noHeO/o= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=JzWLZgal; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=dwwtMrczmJx1Ya/kKt00h/d4qBYOAz4MbxSC8Ci5pl8=; b=JzWLZgalOc2P6f9HYoCWpQhWpo me2srD95pdzwy6zkQq6TIvyInCvsQKoIiM1GpD4t3ynIURvFUGnhrU1FZG9/F2STrSpHnJQhUH8G1 baogE5XnE3z3lF6Xxzv6kMcvLHQ9IRwf28Z3DUWhaEF3aUcxjBUg/84pbPEi5PshlbLk8HMN4JxpR jGpp9XSCnHQDaZCZo0ZgbpWOJVQ1WSutHcYC2VjD6OBrDXsGbYnTgxjpAV/BD2J/1p0yrGSQrbe+E FWC/3DA8GDchk03ysser12zF0x+H24609FGSKrTrOS4yBZ1LirY9rUKw+roiHPElMg4aylnP2Eq5R rcByvTPw==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97.1) (envelope-from ) id 1s2yvb-000000007DY-0y69; Fri, 03 May 2024 21:50:43 +0200 From: Phil Sutter To: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org, Florian Westphal , Thomas Haller Subject: [nf-next PATCH 4/5] netfilter: nf_tables: Dynamic hook interface binding Date: Fri, 3 May 2024 21:50:44 +0200 Message-ID: <20240503195045.6934-5-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240503195045.6934-1-phil@nwl.cc> References: <20240503195045.6934-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Upon NETDEV_REGISTER event, search existing flowtables and netdev-family chains for a matching inactive hook and bind the device. Signed-off-by: Phil Sutter --- net/netfilter/nf_tables_api.c | 76 +++++++++++++++++++++++--------- net/netfilter/nft_chain_filter.c | 40 +++++++++++++++-- 2 files changed, 91 insertions(+), 25 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 87576accc2b2..b19f40874c48 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -8460,6 +8460,27 @@ nft_flowtable_type_get(struct net *net, u8 family) return ERR_PTR(-ENOENT); } +static int nft_register_flowtable_hook(struct net *net, + struct nft_flowtable *flowtable, + struct nft_hook *hook) +{ + int err; + + err = flowtable->data.type->setup(&flowtable->data, + hook->ops.dev, FLOW_BLOCK_BIND); + if (err < 0) + return err; + + err = nf_register_net_hook(net, &hook->ops); + if (err < 0) { + flowtable->data.type->setup(&flowtable->data, + hook->ops.dev, FLOW_BLOCK_UNBIND); + return err; + } + + return 0; +} + /* Only called from error and netdev event paths. */ static void nft_unregister_flowtable_hook(struct net *net, struct nft_flowtable *flowtable, @@ -8521,20 +8542,10 @@ static int nft_register_flowtable_net_hooks(struct net *net, } } - err = flowtable->data.type->setup(&flowtable->data, - hook->ops.dev, - FLOW_BLOCK_BIND); + err = nft_register_flowtable_hook(net, flowtable, hook); if (err < 0) goto err_unregister_net_hooks; - err = nf_register_net_hook(net, &hook->ops); - if (err < 0) { - flowtable->data.type->setup(&flowtable->data, - hook->ops.dev, - FLOW_BLOCK_UNBIND); - goto err_unregister_net_hooks; - } - i++; } @@ -9191,20 +9202,40 @@ static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net, return -EMSGSIZE; } -static void nft_flowtable_event(unsigned long event, struct net_device *dev, - struct nft_flowtable *flowtable) +static int nft_flowtable_event(unsigned long event, struct net_device *dev, + struct nft_flowtable *flowtable) { struct nft_hook *hook; list_for_each_entry(hook, &flowtable->hook_list, list) { - if (hook->ops.dev != dev) - continue; + switch (event) { + case NETDEV_UNREGISTER: + if (hook->ops.dev != dev) + break; - /* flow_offload_netdev_event() cleans up entries for us. */ - nft_unregister_flowtable_hook(dev_net(dev), flowtable, hook); - hook->ops.dev = NULL; - break; + /* flow_offload_netdev_event() cleans up entries for us. */ + nft_unregister_flowtable_hook(dev_net(dev), + flowtable, hook); + hook->ops.dev = NULL; + return 1; + case NETDEV_REGISTER: + if (hook->ops.dev || + strncmp(hook->ifname, dev->name, hook->ifnamelen)) + break; + + hook->ops.dev = dev; + if (!nft_register_flowtable_hook(dev_net(dev), + flowtable, hook)) + return 1; + + printk(KERN_ERR + "flowtable %s: Can't hook into device %s\n", + flowtable->name, dev->name); + hook->ops.dev = NULL; + break; + } } + return 0; } static int nf_tables_flowtable_event(struct notifier_block *this, @@ -9216,7 +9247,8 @@ static int nf_tables_flowtable_event(struct notifier_block *this, struct nft_table *table; struct net *net; - if (event != NETDEV_UNREGISTER) + if (event != NETDEV_UNREGISTER && + event != NETDEV_REGISTER) return 0; net = dev_net(dev); @@ -9224,9 +9256,11 @@ static int nf_tables_flowtable_event(struct notifier_block *this, mutex_lock(&nft_net->commit_mutex); list_for_each_entry(table, &nft_net->tables, list) { list_for_each_entry(flowtable, &table->flowtables, list) { - nft_flowtable_event(event, dev, flowtable); + if (nft_flowtable_event(event, dev, flowtable)) + goto out_unlock; } } +out_unlock: mutex_unlock(&nft_net->commit_mutex); return NOTIFY_DONE; diff --git a/net/netfilter/nft_chain_filter.c b/net/netfilter/nft_chain_filter.c index ddb438bc2afd..b2147f8be60c 100644 --- a/net/netfilter/nft_chain_filter.c +++ b/net/netfilter/nft_chain_filter.c @@ -318,19 +318,50 @@ static const struct nft_chain_type nft_chain_filter_netdev = { }, }; +static int nft_netdev_hook_dev_update(struct nft_hook *hook, + struct net_device *dev) +{ + int ret = 0; + + if (hook->ops.dev) + nf_unregister_net_hook(dev_net(hook->ops.dev), &hook->ops); + + hook->ops.dev = dev; + + if (dev) { + ret = nf_register_net_hook(dev_net(dev), &hook->ops); + if (ret < 0) + hook->ops.dev = NULL; + } + + return ret; +} + static void nft_netdev_event(unsigned long event, struct net_device *dev, struct nft_ctx *ctx) { struct nft_base_chain *basechain = nft_base_chain(ctx->chain); struct nft_hook *hook; - if (event != NETDEV_UNREGISTER) + if (event != NETDEV_UNREGISTER && + event != NETDEV_REGISTER) return; list_for_each_entry(hook, &basechain->hook_list, list) { - if (hook->ops.dev == dev) { - nf_unregister_net_hook(ctx->net, &hook->ops); - hook->ops.dev = NULL; + switch (event) { + case NETDEV_UNREGISTER: + if (hook->ops.dev == dev) + nft_netdev_hook_dev_update(hook, NULL); + break; + case NETDEV_REGISTER: + if (hook->ops.dev || + strncmp(hook->ifname, dev->name, hook->ifnamelen)) + break; + if (!nft_netdev_hook_dev_update(hook, dev)) + return; + + printk(KERN_ERR "chain %s: Can't hook into device %s\n", + ctx->chain->name, dev->name); break; } } @@ -349,6 +380,7 @@ static int nf_tables_netdev_event(struct notifier_block *this, }; if (event != NETDEV_UNREGISTER && + event != NETDEV_REGISTER && event != NETDEV_CHANGENAME) return NOTIFY_DONE; From patchwork Fri May 3 19:50:45 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1931179 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=fH8IGv3t; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:4601:e00::3; helo=am.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-2092-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from am.mirrors.kernel.org (am.mirrors.kernel.org [IPv6:2604:1380:4601:e00::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VWLyn6sZsz20fW for ; Sat, 4 May 2024 05:51:13 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 365051F2305C for ; Fri, 3 May 2024 19:51:11 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 3DE15158DC0; Fri, 3 May 2024 19:50:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="fH8IGv3t" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [151.80.46.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A39A8158D88 for ; Fri, 3 May 2024 19:50:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=151.80.46.58 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714765849; cv=none; b=cLjco0XqD4WDqtJrwuBnCKffVtidZX+YUkf/dV7g4vvtrzO3G1mywbZf400OGOPF0xssJSluPEbzsJtnG6gNst6uERt9SGWNWIJNe5PUjaSYn31KliLNSkeb9/S8/GJ8cuInpJ0xxli6uz7cE53/7UOzhw3P9pe+Sp92JmQhUFI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714765849; c=relaxed/simple; bh=AshQwpn0QkKuctzDZ3q2z1HQtEe1xnCJhT0nIrZnVrU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=btCnniNvq2pJN+ElhXyW6WAlUDjtwoc9kJCoiYoJFmU/SEYV92VIW15yJzxQVv5Je80fOlqb9YhLOX5HLMnefuyQuXpE4yeRTnMYXbzxcP+9/ZX5xe5pA1sOET3Y+ESduNzpW32uXutbmUDcfz56pCqtmW0q50mFIzXYlsRq/IQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc; spf=pass smtp.mailfrom=nwl.cc; dkim=pass (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b=fH8IGv3t; arc=none smtp.client-ip=151.80.46.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nwl.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nwl.cc DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=029QCVXDyZbw+OsepMifHkYoYWMkmQ10OYs5fc1lD1Y=; b=fH8IGv3tCk8E594ON9feUE4ji/ TE4atiInUopDUZ8zDu+ztQVAHd8PZlU0/SgDa4LGLoLQ5liekcX8DvVn9XeZs4EjgIl8vIXYXkQG5 6KcbKY2uVRsxk2UJV7nLWICvF2e9c5XWdwvBM1JeoZ911zuc/lNxTF+4oDuzjewR0whlWiHINrMF8 yygUsDiEgncEdmJ1NVVRJj0p3qcNjmw2XzYD5Vtz81H07+eXAF/yEeXiScEx0paTynofvaoqsUjR4 QCvw26WSu89acCFlNb2iE8tUdVw05gvVWpKgLUriH/hlyr8AbwxqpefCmjKRhRchOUf9v46Vidx+A 6pAMCExw==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.97.1) (envelope-from ) id 1s2yvc-000000007Df-1eZV; Fri, 03 May 2024 21:50:44 +0200 From: Phil Sutter To: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org, Florian Westphal , Thomas Haller Subject: [nf-next PATCH 5/5] netfilter: nf_tables: Correctly handle NETDEV_RENAME events Date: Fri, 3 May 2024 21:50:45 +0200 Message-ID: <20240503195045.6934-6-phil@nwl.cc> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240503195045.6934-1-phil@nwl.cc> References: <20240503195045.6934-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Treat a netdev rename like removal and recreation with a different name. In theory, one could leave hooks in place which still cover the new name, but this is both unlikely and needlessly complicates the code. Signed-off-by: Phil Sutter --- net/netfilter/nf_tables_api.c | 10 +++++++--- net/netfilter/nft_chain_filter.c | 9 ++++++--- 2 files changed, 13 insertions(+), 6 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index b19f40874c48..b3a5a2878459 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -9247,9 +9247,13 @@ static int nf_tables_flowtable_event(struct notifier_block *this, struct nft_table *table; struct net *net; - if (event != NETDEV_UNREGISTER && - event != NETDEV_REGISTER) - return 0; + if (event == NETDEV_CHANGENAME) { + nf_tables_flowtable_event(this, NETDEV_UNREGISTER, ptr); + event = NETDEV_REGISTER; + } else if (event != NETDEV_UNREGISTER && + event != NETDEV_REGISTER) { + return NOTIFY_DONE; + } net = dev_net(dev); nft_net = nft_pernet(net); diff --git a/net/netfilter/nft_chain_filter.c b/net/netfilter/nft_chain_filter.c index b2147f8be60c..cc0cf47503f4 100644 --- a/net/netfilter/nft_chain_filter.c +++ b/net/netfilter/nft_chain_filter.c @@ -379,10 +379,13 @@ static int nf_tables_netdev_event(struct notifier_block *this, .net = dev_net(dev), }; - if (event != NETDEV_UNREGISTER && - event != NETDEV_REGISTER && - event != NETDEV_CHANGENAME) + if (event == NETDEV_CHANGENAME) { + nf_tables_netdev_event(this, NETDEV_UNREGISTER, ptr); + event = NETDEV_REGISTER; + } else if (event != NETDEV_UNREGISTER && + event != NETDEV_REGISTER) { return NOTIFY_DONE; + } nft_net = nft_pernet(ctx.net); mutex_lock(&nft_net->commit_mutex);