Skip to content

Commit 207296f

Browse files
ummakynesummakynes
committed
netfilter: nf_tables: allow to create netdev chain without device
Relax netdev chain creation to allow for loading the ruleset, then adding/deleting devices at a later stage. Hardware offload does not support for this feature yet. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
1 parent 7d937b1 commit 207296f

1 file changed

Lines changed: 11 additions & 12 deletions

File tree

net/netfilter/nf_tables_api.c

Lines changed: 11 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -2023,10 +2023,9 @@ struct nft_chain_hook {
20232023
struct list_head list;
20242024
};
20252025

2026-
static int nft_chain_parse_netdev(struct net *net,
2027-
struct nlattr *tb[],
2026+
static int nft_chain_parse_netdev(struct net *net, struct nlattr *tb[],
20282027
struct list_head *hook_list,
2029-
struct netlink_ext_ack *extack)
2028+
struct netlink_ext_ack *extack, u32 flags)
20302029
{
20312030
struct nft_hook *hook;
20322031
int err;
@@ -2045,20 +2044,20 @@ static int nft_chain_parse_netdev(struct net *net,
20452044
if (err < 0)
20462045
return err;
20472046

2048-
if (list_empty(hook_list))
2049-
return -EINVAL;
2050-
} else {
2051-
return -EINVAL;
20522047
}
20532048

2049+
if (flags & NFT_CHAIN_HW_OFFLOAD &&
2050+
list_empty(hook_list))
2051+
return -EINVAL;
2052+
20542053
return 0;
20552054
}
20562055

20572056
static int nft_chain_parse_hook(struct net *net,
20582057
struct nft_base_chain *basechain,
20592058
const struct nlattr * const nla[],
20602059
struct nft_chain_hook *hook, u8 family,
2061-
struct netlink_ext_ack *extack)
2060+
u32 flags, struct netlink_ext_ack *extack)
20622061
{
20632062
struct nftables_pernet *nft_net = nft_pernet(net);
20642063
struct nlattr *ha[NFTA_HOOK_MAX + 1];
@@ -2125,7 +2124,7 @@ static int nft_chain_parse_hook(struct net *net,
21252124

21262125
INIT_LIST_HEAD(&hook->list);
21272126
if (nft_base_chain_netdev(family, hook->num)) {
2128-
err = nft_chain_parse_netdev(net, ha, &hook->list, extack);
2127+
err = nft_chain_parse_netdev(net, ha, &hook->list, extack, flags);
21292128
if (err < 0) {
21302129
module_put(type->owner);
21312130
return err;
@@ -2263,7 +2262,7 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
22632262
if (flags & NFT_CHAIN_BINDING)
22642263
return -EOPNOTSUPP;
22652264

2266-
err = nft_chain_parse_hook(net, NULL, nla, &hook, family,
2265+
err = nft_chain_parse_hook(net, NULL, nla, &hook, family, flags,
22672266
extack);
22682267
if (err < 0)
22692268
return err;
@@ -2407,7 +2406,7 @@ static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
24072406

24082407
basechain = nft_base_chain(chain);
24092408
err = nft_chain_parse_hook(ctx->net, basechain, nla, &hook,
2410-
ctx->family, extack);
2409+
ctx->family, flags, extack);
24112410
if (err < 0)
24122411
return err;
24132412

@@ -2683,7 +2682,7 @@ static int nft_delchain_hook(struct nft_ctx *ctx, struct nft_chain *chain,
26832682

26842683
basechain = nft_base_chain(chain);
26852684
err = nft_chain_parse_hook(ctx->net, basechain, nla, &chain_hook,
2686-
ctx->family, extack);
2685+
ctx->family, chain->flags, extack);
26872686
if (err < 0)
26882687
return err;
26892688

0 commit comments

Comments
 (0)