mirrors/linux
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2026-02-19 05:32:22 -05:00
Code Issues Packages Projects Releases Wiki Activity

netfilter: nf_tables: Wrap netdev notifiers

Browse Source 
Handling NETDEV_CHANGENAME events has to traverse all chains/flowtables
twice, prepare for this. No functional change intended.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
Phil Sutter
2025-05-21 22:44:29 +02:00
committed by Pablo Neira Ayuso
parent a331b78a55
commit 9669c1105b
2 changed files with 46 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
net/netfilter/nf_tables_api.c
View File

@@ -9736,13 +9736,28 @@ static int nft_flowtable_event(unsigned long event, struct net_device *dev,
return 0;
}
static int __nf_tables_flowtable_event(unsigned long event,
struct net_device *dev)
{
struct nftables_pernet *nft_net = nft_pernet(dev_net(dev));
struct nft_flowtable *flowtable;
struct nft_table *table;
list_for_each_entry(table, &nft_net->tables, list) {
list_for_each_entry(flowtable, &table->flowtables, list) {
if (nft_flowtable_event(event, dev, flowtable))
return 1;
}
}
return 0;
}
static int nf_tables_flowtable_event(struct notifier_block *this,
unsigned long event, void *ptr)
{
struct net_device *dev = netdev_notifier_info_to_dev(ptr);
struct nft_flowtable *flowtable;
struct nftables_pernet *nft_net;
struct nft_table *table;
int ret = NOTIFY_DONE;
struct net *net;
if (event != NETDEV_REGISTER &&
@@ -9752,17 +9767,12 @@ static int nf_tables_flowtable_event(struct notifier_block *this,
net = dev_net(dev);
nft_net = nft_pernet(net);
mutex_lock(&nft_net->commit_mutex);
list_for_each_entry(table, &nft_net->tables, list) {
list_for_each_entry(flowtable, &table->flowtables, list) {
if (nft_flowtable_event(event, dev, flowtable)) {
mutex_unlock(&nft_net->commit_mutex);
return NOTIFY_BAD;
}
}
}
mutex_unlock(&nft_net->commit_mutex);
return NOTIFY_DONE;
if (__nf_tables_flowtable_event(event, dev))
ret = NOTIFY_BAD;
mutex_unlock(&nft_net->commit_mutex);
return ret;
}
static struct notifier_block nf_tables_flowtable_notifier = {

38
net/netfilter/nft_chain_filter.c
View File

@@ -363,21 +363,14 @@ static int nft_netdev_event(unsigned long event, struct net_device *dev,
return 0;
}
static int nf_tables_netdev_event(struct notifier_block *this,
unsigned long event, void *ptr)
static int __nf_tables_netdev_event(unsigned long event, struct net_device *dev)
{
struct net_device *dev = netdev_notifier_info_to_dev(ptr);
struct nft_base_chain *basechain;
struct nftables_pernet *nft_net;
struct nft_chain *chain;
struct nft_table *table;
if (event != NETDEV_REGISTER &&
event != NETDEV_UNREGISTER)
return NOTIFY_DONE;
nft_net = nft_pernet(dev_net(dev));
mutex_lock(&nft_net->commit_mutex);
list_for_each_entry(table, &nft_net->tables, list) {
if (table->family != NFPROTO_NETDEV &&
table->family != NFPROTO_INET)
@@ -392,15 +385,32 @@ static int nf_tables_netdev_event(struct notifier_block *this,
basechain->ops.hooknum != NF_INET_INGRESS)
continue;
if (nft_netdev_event(event, dev, basechain)) {
mutex_unlock(&nft_net->commit_mutex);
return NOTIFY_BAD;
}
if (nft_netdev_event(event, dev, basechain))
return 1;
}
}
mutex_unlock(&nft_net->commit_mutex);
return 0;
}
return NOTIFY_DONE;
static int nf_tables_netdev_event(struct notifier_block *this,
unsigned long event, void *ptr)
{
struct net_device *dev = netdev_notifier_info_to_dev(ptr);
struct nftables_pernet *nft_net;
int ret = NOTIFY_DONE;
if (event != NETDEV_REGISTER &&
event != NETDEV_UNREGISTER)
return NOTIFY_DONE;
nft_net = nft_pernet(dev_net(dev));
mutex_lock(&nft_net->commit_mutex);
if (__nf_tables_netdev_event(event, dev))
ret = NOTIFY_BAD;
mutex_unlock(&nft_net->commit_mutex);
return ret;
}
static struct notifier_block nf_tables_netdev_notifier = {