On Tue, Dec 26, 2017 at 9:41 PM, Pablo Neira Ayuso <[email protected]> wrote:
> Hi Harsha,
>
> On Sat, Dec 23, 2017 at 11:44:20AM -0800, Harsha Sharma wrote:
>> This patch adds code to allocate 'handle' in tables, which allow us to
>> uniquely identify a table.
>>
>> Signed-off-by: Harsha Sharma <[email protected]>
>> ---
>> include/net/netfilter/nf_tables.h | 2 ++
>> include/uapi/linux/netfilter/nf_tables.h | 2 ++
>> net/netfilter/nf_tables_api.c | 12 +++++++++++-
>> 3 files changed, 15 insertions(+), 1 deletion(-)
>>
>> diff --git a/include/net/netfilter/nf_tables.h
>> b/include/net/netfilter/nf_tables.h
>> index 01570a8f2982..bbc7bfcc1a57 100644
>> --- a/include/net/netfilter/nf_tables.h
>> +++ b/include/net/netfilter/nf_tables.h
>> @@ -949,6 +949,7 @@ unsigned int nft_do_chain(struct nft_pktinfo *pkt, void
>> *priv);
>> * @sets: sets in the table
>> * @objects: stateful objects in the table
>> * @hgenerator: handle generator state
>> + * @handle: table handle
>> * @use: number of chain references to this table
>> * @flags: table flag (see enum nft_table_flags)
>> * @genmask: generation mask
>> @@ -960,6 +961,7 @@ struct nft_table {
>> struct list_head sets;
>> struct list_head objects;
>> u64 hgenerator;
>> + u64 handle:42;
>> u32 use;
>> u16 flags:14,
>> genmask:2;
>> diff --git a/include/uapi/linux/netfilter/nf_tables.h
>> b/include/uapi/linux/netfilter/nf_tables.h
>> index a3ee277b17a1..a6ab9a962eae 100644
>> --- a/include/uapi/linux/netfilter/nf_tables.h
>> +++ b/include/uapi/linux/netfilter/nf_tables.h
>> @@ -168,6 +168,8 @@ enum nft_table_attributes {
>> NFTA_TABLE_NAME,
>> NFTA_TABLE_FLAGS,
>> NFTA_TABLE_USE,
>> + NFTA_TABLE_HANDLE,
>> + NFTA_TABLE_PAD,
>> __NFTA_TABLE_MAX
>> };
>> #define NFTA_TABLE_MAX (__NFTA_TABLE_MAX - 1)
>> diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
>> index d8327b43e4dc..4a4e247e6028 100644
>> --- a/net/netfilter/nf_tables_api.c
>> +++ b/net/netfilter/nf_tables_api.c
>> @@ -22,6 +22,7 @@
>> #include <net/net_namespace.h>
>> #include <net/sock.h>
>>
>> +static u64 table_handle;
>
> You need to place this handle number in struct nft_table.
>
This table_handle is passed to the struct nft_table in nf_tables_newtable().
>> static LIST_HEAD(nf_tables_expressions);
>> static LIST_HEAD(nf_tables_objects);
>>
>> @@ -430,6 +431,7 @@ static const struct nla_policy
>> nft_table_policy[NFTA_TABLE_MAX + 1] = {
>> [NFTA_TABLE_NAME] = { .type = NLA_STRING,
>> .len = NFT_TABLE_MAXNAMELEN - 1 },
>> [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
>> + [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
> ^^^
> missing tab indent here.
>
>> };
>>
>> static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
>> @@ -451,7 +453,9 @@ static int nf_tables_fill_table_info(struct sk_buff
>> *skb, struct net *net,
>>
>> if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
>> nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
>> - nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)))
>> + nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
>> + nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
>> + NFTA_TABLE_PAD))
>> goto nla_put_failure;
>>
>> nlmsg_end(skb, nlh);
>> @@ -734,6 +738,12 @@ static int nf_tables_newtable(struct net *net, struct
>> sock *nlsk,
>> INIT_LIST_HEAD(&table->sets);
>> INIT_LIST_HEAD(&table->objects);
>> table->flags = flags;
>> + if (nla[NFTA_TABLE_HANDLE]) {
>> + table->handle =
>> be64_to_cpu(nla_get_be64(nla[NFTA_TABLE_HANDLE]));
>
> We don't allow to restore the handle, please remove this line.
>
OK. I'll remove this.
>> + } else {
>> + table_handle++;
>> + table->handle = table_handle;
>> + }
>>
>> nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
>> err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
>
> We need to implement deletion via handle too in nf_tables_deltable(),
> same thing for nf_table_gettable().
>
> Thus, the unique handle becomes useful.
>
OK. Other than these changes, can I work on implementing deletion via
table handle ?
Thanks for the review .
Merry Christmas !!
Regards,
Harsha Sharma
> Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
