Fernando Fernandez Mancera <ffmancera@xxxxxxxxxx> wrote:
> I have been thinking of a way to update a quota object. i.e raise or lower the
> quota limit of an existing object. I think it would be ideal to implement the
> operations of updating objects in the API in a generic way.
>
> Therefore, we could easily give update support to each object type by adding an
> update operation in the "nft_object_ops" struct. This is a conceptual patch so
> it does not work.
>
> Signed-off-by: Fernando Fernandez Mancera <ffmancera@xxxxxxxxxx>
> ---
> include/net/netfilter/nf_tables.h | 4 ++++
> include/uapi/linux/netfilter/nf_tables.h | 2 ++
> net/netfilter/nf_tables_api.c | 22 ++++++++++++++++++++++
> 3 files changed, 28 insertions(+)
>
> diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
> index 9b624566b82d..bd1e6c19d23f 100644
> --- a/include/net/netfilter/nf_tables.h
> +++ b/include/net/netfilter/nf_tables.h
> @@ -1101,6 +1101,7 @@ struct nft_object_type {
> * @eval: stateful object evaluation function
> * @size: stateful object size
> * @init: initialize object from netlink attributes
> + * @update: update object from netlink attributes
> * @destroy: release existing stateful object
> * @dump: netlink dump stateful object
> */
> @@ -1112,6 +1113,9 @@ struct nft_object_ops {
> int (*init)(const struct nft_ctx *ctx,
> const struct nlattr *const tb[],
> struct nft_object *obj);
> + int (*update)(const struct nft_ctx *ctx,
> + const struct nlattr *const tb[],
> + struct nft_object *obj);
> void (*destroy)(const struct nft_ctx *ctx,
> struct nft_object *obj);
> int (*dump)(struct sk_buff *skb,
> diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
> index 82abaa183fc3..8b0a012e9177 100644
> --- a/include/uapi/linux/netfilter/nf_tables.h
> +++ b/include/uapi/linux/netfilter/nf_tables.h
> @@ -92,6 +92,7 @@ enum nft_verdicts {
> * @NFT_MSG_NEWOBJ: create a stateful object (enum nft_obj_attributes)
> * @NFT_MSG_GETOBJ: get a stateful object (enum nft_obj_attributes)
> * @NFT_MSG_DELOBJ: delete a stateful object (enum nft_obj_attributes)
> + * @NFT_MSG_UPDOBJ: update a stateful object (enum nft_obj_attributes)
> * @NFT_MSG_GETOBJ_RESET: get and reset a stateful object (enum nft_obj_attributes)
> * @NFT_MSG_NEWFLOWTABLE: add new flow table (enum nft_flowtable_attributes)
> * @NFT_MSG_GETFLOWTABLE: get flow table (enum nft_flowtable_attributes)
> @@ -119,6 +120,7 @@ enum nf_tables_msg_types {
> NFT_MSG_NEWOBJ,
> NFT_MSG_GETOBJ,
> NFT_MSG_DELOBJ,
> + NFT_MSG_UPDOBJ,
This breaks ABI, new enums need to be added at the end.
But I wonder if we can't just re-use NEWOBJ and teach it to update
the object if it exists already.
Userspace can already pass EXCL flag to bail out for the 'exists' case.
I agree that such feature (object update) is a good idea.
