Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
include/uapi/linux/netfilter/nf_tables.h | 2 ++
net/netfilter/nf_tables_api.c | 12 +++++++++++-
2 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index 66dceee0ae30..3fa02e883c15 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -1341,6 +1341,7 @@ enum nft_object_attributes {
* @NFTA_FLOWTABLE_HOOK: netfilter hook configuration(NLA_U32)
* @NFTA_FLOWTABLE_USE: number of references to this flow table (NLA_U32)
* @NFTA_FLOWTABLE_HANDLE: object handle (NLA_U64)
+ * @NFTA_FLOWTABLE_SIZE: maximum size (NLA_U32)
*/
enum nft_flowtable_attributes {
NFTA_FLOWTABLE_UNSPEC,
@@ -1350,6 +1351,7 @@ enum nft_flowtable_attributes {
NFTA_FLOWTABLE_USE,
NFTA_FLOWTABLE_HANDLE,
NFTA_FLOWTABLE_PAD,
+ NFTA_FLOWTABLE_SIZE,
__NFTA_FLOWTABLE_MAX
};
#define NFTA_FLOWTABLE_MAX (__NFTA_FLOWTABLE_MAX - 1)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 2b925e0d3f6d..0e60322ada2e 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -4848,6 +4848,7 @@ static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
.len = NFT_NAME_MAXLEN - 1 },
[NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
[NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
+ [NFTA_FLOWTABLE_SIZE] = { .type = NLA_U32 },
};
struct nft_flowtable *nf_tables_flowtable_lookup(const struct nft_table *table,
@@ -5077,6 +5078,7 @@ static int nf_tables_newflowtable(struct net *net, struct sock *nlsk,
struct nft_flowtable *flowtable, *ft;
u8 genmask = nft_genmask_next(net);
int family = nfmsg->nfgen_family;
+ struct rhashtable_params params;
struct nft_table *table;
struct nft_ctx ctx;
int err;
@@ -5126,8 +5128,12 @@ static int nf_tables_newflowtable(struct net *net, struct sock *nlsk,
goto err2;
}
+ params = *type->params;
+ if (nla[NFTA_FLOWTABLE_SIZE])
+ params.max_size = ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_SIZE]));
+
flowtable->data.type = type;
- err = rhashtable_init(&flowtable->data.rhashtable, type->params);
+ err = rhashtable_init(&flowtable->data.rhashtable, ¶ms);
if (err < 0)
goto err3;
@@ -5326,6 +5332,10 @@ static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
nla_nest_end(skb, nest_devs);
nla_nest_end(skb, nest);
+ if (nla_put_be32(skb, NFTA_FLOWTABLE_SIZE,
+ htonl(flowtable->data.rhashtable.p.max_size)))
+ goto nla_put_failure;
+
nlmsg_end(skb, nlh);
return 0;
--
2.11.0
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
