Message ID | 20230518100759.84858-2-fw@strlen.de (mailing list archive) |
---|---|
State | Accepted |
Commit | a4878eeae39048e6abe85891c714b49dc13fc08c |
Delegated to: | Netdev Maintainers |
Headers | show |
Series | [net-next,1/9] netfilter: nf_tables: relax set/map validation checks | expand |
Hello: This series was applied to netdev/net-next.git (main) by Florian Westphal <fw@strlen.de>: On Thu, 18 May 2023 12:07:51 +0200 you wrote: > Its currently not allowed to perform queries on a map, for example: > > table t { > map m { > typeof ip saddr : meta mark > .. > > [...] Here is the summary with links: - [net-next,1/9] netfilter: nf_tables: relax set/map validation checks https://git.kernel.org/netdev/net-next/c/a4878eeae390 - [net-next,2/9] netfilter: nf_tables: always increment set element count https://git.kernel.org/netdev/net-next/c/d4b7f29eb85c - [net-next,3/9] netfilter: nft_exthdr: add boolean DCCP option matching https://git.kernel.org/netdev/net-next/c/b9f9a485fb0e - [net-next,4/9] netfilter: Reorder fields in 'struct nf_conntrack_expect' https://git.kernel.org/netdev/net-next/c/61e03e912da8 - [net-next,5/9] netfilter: nft_set_pipapo: Use struct_size() https://git.kernel.org/netdev/net-next/c/a2a0ffb08468 - [net-next,6/9] netfilter: conntrack: allow insertion clash of gre protocol https://git.kernel.org/netdev/net-next/c/d671fd82eaa9 - [net-next,7/9] netfilter: flowtable: simplify route logic https://git.kernel.org/netdev/net-next/c/fa502c865666 - [net-next,8/9] netfilter: flowtable: split IPv4 datapath in helper functions https://git.kernel.org/netdev/net-next/c/a10fa0b489d6 - [net-next,9/9] netfilter: flowtable: split IPv6 datapath in helper functions https://git.kernel.org/netdev/net-next/c/e05b5362166b You are awesome, thank you!
diff --git a/net/netfilter/nft_lookup.c b/net/netfilter/nft_lookup.c index 03ef4fdaa460..29ac48cdd6db 100644 --- a/net/netfilter/nft_lookup.c +++ b/net/netfilter/nft_lookup.c @@ -19,6 +19,7 @@ struct nft_lookup { struct nft_set *set; u8 sreg; u8 dreg; + bool dreg_set; bool invert; struct nft_set_binding binding; }; @@ -75,7 +76,7 @@ void nft_lookup_eval(const struct nft_expr *expr, } if (ext) { - if (set->flags & NFT_SET_MAP) + if (priv->dreg_set) nft_data_copy(®s->data[priv->dreg], nft_set_ext_data(ext), set->dlen); @@ -122,11 +123,8 @@ static int nft_lookup_init(const struct nft_ctx *ctx, if (flags & ~NFT_LOOKUP_F_INV) return -EINVAL; - if (flags & NFT_LOOKUP_F_INV) { - if (set->flags & NFT_SET_MAP) - return -EINVAL; + if (flags & NFT_LOOKUP_F_INV) priv->invert = true; - } } if (tb[NFTA_LOOKUP_DREG] != NULL) { @@ -140,8 +138,17 @@ static int nft_lookup_init(const struct nft_ctx *ctx, set->dlen); if (err < 0) return err; - } else if (set->flags & NFT_SET_MAP) - return -EINVAL; + priv->dreg_set = true; + } else if (set->flags & NFT_SET_MAP) { + /* Map given, but user asks for lookup only (i.e. to + * ignore value assoicated with key). + * + * This makes no sense for anonymous maps since they are + * scoped to the rule, but for named sets this can be useful. + */ + if (set->flags & NFT_SET_ANONYMOUS) + return -EINVAL; + } priv->binding.flags = set->flags & NFT_SET_MAP; @@ -188,7 +195,7 @@ static int nft_lookup_dump(struct sk_buff *skb, goto nla_put_failure; if (nft_dump_register(skb, NFTA_LOOKUP_SREG, priv->sreg)) goto nla_put_failure; - if (priv->set->flags & NFT_SET_MAP) + if (priv->dreg_set) if (nft_dump_register(skb, NFTA_LOOKUP_DREG, priv->dreg)) goto nla_put_failure; if (nla_put_be32(skb, NFTA_LOOKUP_FLAGS, htonl(flags)))
Its currently not allowed to perform queries on a map, for example: table t { map m { typeof ip saddr : meta mark .. chain c { ip saddr @m counter will fail, because kernel requires that userspace provides a destination register when the referenced set is a map. However, internally there is no real distinction between sets and maps, maps are just sets where each key is associated with a value. Relax this so that maps can be used just like sets. This allows to have rules that query if a given key exists without making use of the associated value. This also permits != checks which don't work for map lookups. When no destination reg is given for a map, then permit this for named maps. Data and dump paths need to be updated to consider priv->dreg_set instead of the 'set-is-a-map' check. Checks in reduce and validate callbacks are not changed, this can be relaxed later if a need arises. Signed-off-by: Florian Westphal <fw@strlen.de> --- net/netfilter/nft_lookup.c | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-)