diff mbox series

[net-next,1/9] netfilter: nf_tables: relax set/map validation checks

Message ID 20230518100759.84858-2-fw@strlen.de (mailing list archive)
State Accepted
Commit a4878eeae39048e6abe85891c714b49dc13fc08c
Delegated to: Netdev Maintainers
Headers show
Series [net-next,1/9] netfilter: nf_tables: relax set/map validation checks | expand

Checks

Context Check Description
netdev/series_format success Pull request is its own cover letter
netdev/tree_selection success Clearly marked for net-next
netdev/fixes_present success Fixes tag not required for -next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 8 this patch: 8
netdev/cc_maintainers warning 3 maintainers not CCed: pablo@netfilter.org coreteam@netfilter.org kadlec@netfilter.org
netdev/build_clang success Errors and warnings before: 8 this patch: 8
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 8 this patch: 8
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 54 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Florian Westphal May 18, 2023, 10:07 a.m. UTC
Its currently not allowed to perform queries on a map, for example:

table t {
	map m {
		typeof ip saddr : meta mark
		..

	chain c {
		ip saddr @m counter

will fail, because kernel requires that userspace provides a destination
register when the referenced set is a map.

However, internally there is no real distinction between sets and maps,
maps are just sets where each key is associated with a value.

Relax this so that maps can be used just like sets.

This allows to have rules that query if a given key exists
without making use of the associated value.

This also permits != checks which don't work for map lookups.

When no destination reg is given for a map, then permit this for named
maps.

Data and dump paths need to be updated to consider priv->dreg_set
instead of the 'set-is-a-map' check.

Checks in reduce and validate callbacks are not changed, this
can be relaxed later if a need arises.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 net/netfilter/nft_lookup.c | 23 +++++++++++++++--------
 1 file changed, 15 insertions(+), 8 deletions(-)

Comments

patchwork-bot+netdevbpf@kernel.org May 18, 2023, 10:50 p.m. UTC | #1
Hello:

This series was applied to netdev/net-next.git (main)
by Florian Westphal <fw@strlen.de>:

On Thu, 18 May 2023 12:07:51 +0200 you wrote:
> Its currently not allowed to perform queries on a map, for example:
> 
> table t {
> 	map m {
> 		typeof ip saddr : meta mark
> 		..
> 
> [...]

Here is the summary with links:
  - [net-next,1/9] netfilter: nf_tables: relax set/map validation checks
    https://git.kernel.org/netdev/net-next/c/a4878eeae390
  - [net-next,2/9] netfilter: nf_tables: always increment set element count
    https://git.kernel.org/netdev/net-next/c/d4b7f29eb85c
  - [net-next,3/9] netfilter: nft_exthdr: add boolean DCCP option matching
    https://git.kernel.org/netdev/net-next/c/b9f9a485fb0e
  - [net-next,4/9] netfilter: Reorder fields in 'struct nf_conntrack_expect'
    https://git.kernel.org/netdev/net-next/c/61e03e912da8
  - [net-next,5/9] netfilter: nft_set_pipapo: Use struct_size()
    https://git.kernel.org/netdev/net-next/c/a2a0ffb08468
  - [net-next,6/9] netfilter: conntrack: allow insertion clash of gre protocol
    https://git.kernel.org/netdev/net-next/c/d671fd82eaa9
  - [net-next,7/9] netfilter: flowtable: simplify route logic
    https://git.kernel.org/netdev/net-next/c/fa502c865666
  - [net-next,8/9] netfilter: flowtable: split IPv4 datapath in helper functions
    https://git.kernel.org/netdev/net-next/c/a10fa0b489d6
  - [net-next,9/9] netfilter: flowtable: split IPv6 datapath in helper functions
    https://git.kernel.org/netdev/net-next/c/e05b5362166b

You are awesome, thank you!
diff mbox series

Patch

diff --git a/net/netfilter/nft_lookup.c b/net/netfilter/nft_lookup.c
index 03ef4fdaa460..29ac48cdd6db 100644
--- a/net/netfilter/nft_lookup.c
+++ b/net/netfilter/nft_lookup.c
@@ -19,6 +19,7 @@  struct nft_lookup {
 	struct nft_set			*set;
 	u8				sreg;
 	u8				dreg;
+	bool				dreg_set;
 	bool				invert;
 	struct nft_set_binding		binding;
 };
@@ -75,7 +76,7 @@  void nft_lookup_eval(const struct nft_expr *expr,
 	}
 
 	if (ext) {
-		if (set->flags & NFT_SET_MAP)
+		if (priv->dreg_set)
 			nft_data_copy(&regs->data[priv->dreg],
 				      nft_set_ext_data(ext), set->dlen);
 
@@ -122,11 +123,8 @@  static int nft_lookup_init(const struct nft_ctx *ctx,
 		if (flags & ~NFT_LOOKUP_F_INV)
 			return -EINVAL;
 
-		if (flags & NFT_LOOKUP_F_INV) {
-			if (set->flags & NFT_SET_MAP)
-				return -EINVAL;
+		if (flags & NFT_LOOKUP_F_INV)
 			priv->invert = true;
-		}
 	}
 
 	if (tb[NFTA_LOOKUP_DREG] != NULL) {
@@ -140,8 +138,17 @@  static int nft_lookup_init(const struct nft_ctx *ctx,
 					       set->dlen);
 		if (err < 0)
 			return err;
-	} else if (set->flags & NFT_SET_MAP)
-		return -EINVAL;
+		priv->dreg_set = true;
+	} else if (set->flags & NFT_SET_MAP) {
+		/* Map given, but user asks for lookup only (i.e. to
+		 * ignore value assoicated with key).
+		 *
+		 * This makes no sense for anonymous maps since they are
+		 * scoped to the rule, but for named sets this can be useful.
+		 */
+		if (set->flags & NFT_SET_ANONYMOUS)
+			return -EINVAL;
+	}
 
 	priv->binding.flags = set->flags & NFT_SET_MAP;
 
@@ -188,7 +195,7 @@  static int nft_lookup_dump(struct sk_buff *skb,
 		goto nla_put_failure;
 	if (nft_dump_register(skb, NFTA_LOOKUP_SREG, priv->sreg))
 		goto nla_put_failure;
-	if (priv->set->flags & NFT_SET_MAP)
+	if (priv->dreg_set)
 		if (nft_dump_register(skb, NFTA_LOOKUP_DREG, priv->dreg))
 			goto nla_put_failure;
 	if (nla_put_be32(skb, NFTA_LOOKUP_FLAGS, htonl(flags)))