[PATCH v2 6/7] netfilter: nf_tables: Add notications for hook changes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

If netdev hooks are updated due to netdev add/remove events, notify user
space via the usual netlink notification mechanism.

Signed-off-by: Phil Sutter <phil@xxxxxx>
---
 include/net/netfilter/nf_tables.h |  4 ++++
 net/netfilter/nf_tables_api.c     | 21 +++++++++++++++++----
 net/netfilter/nft_chain_filter.c  | 16 +++++++++++++---
 3 files changed, 34 insertions(+), 7 deletions(-)

diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 9cbef71f0462..bfa6cb7b2fd7 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -223,6 +223,8 @@ struct nft_ctx {
 	bool				report;
 };
 
+void nft_commit_notify(struct net *net, u32 portid);
+
 enum nft_data_desc_flags {
 	NFT_DATA_DESC_SETELEM	= (1 << 0),
 };
@@ -1123,6 +1125,8 @@ int nft_setelem_validate(const struct nft_ctx *ctx, struct nft_set *set,
 int nft_set_catchall_validate(const struct nft_ctx *ctx, struct nft_set *set);
 int nf_tables_bind_chain(const struct nft_ctx *ctx, struct nft_chain *chain);
 void nf_tables_unbind_chain(const struct nft_ctx *ctx, struct nft_chain *chain);
+void nf_tables_chain_notify(const struct nft_ctx *ctx, int event,
+			    const struct list_head *hook_list);
 
 enum nft_chain_types {
 	NFT_CHAIN_T_DEFAULT = 0,
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index b3a5a2878459..39202166c2a2 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1903,8 +1903,8 @@ static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
 	return -1;
 }
 
-static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event,
-				   const struct list_head *hook_list)
+void nf_tables_chain_notify(const struct nft_ctx *ctx, int event,
+			    const struct list_head *hook_list)
 {
 	struct nftables_pernet *nft_net;
 	struct sk_buff *skb;
@@ -9246,6 +9246,7 @@ static int nf_tables_flowtable_event(struct notifier_block *this,
 	struct nftables_pernet *nft_net;
 	struct nft_table *table;
 	struct net *net;
+	int rc = 0;
 
 	if (event == NETDEV_CHANGENAME) {
 		nf_tables_flowtable_event(this, NETDEV_UNREGISTER, ptr);
@@ -9260,11 +9261,23 @@ static int nf_tables_flowtable_event(struct notifier_block *this,
 	mutex_lock(&nft_net->commit_mutex);
 	list_for_each_entry(table, &nft_net->tables, list) {
 		list_for_each_entry(flowtable, &table->flowtables, list) {
-			if (nft_flowtable_event(event, dev, flowtable))
+			rc = nft_flowtable_event(event, dev, flowtable);
+			if (rc)
 				goto out_unlock;
 		}
 	}
 out_unlock:
+	if (rc == 1) {
+		struct nft_ctx ctx = {
+			.net = net,
+			.family = flowtable->table->family
+		};
+
+		nf_tables_flowtable_notify(&ctx, flowtable,
+					   &flowtable->hook_list,
+					   NFT_MSG_NEWFLOWTABLE);
+		nft_commit_notify(ctx.net, ctx.portid);
+	}
 	mutex_unlock(&nft_net->commit_mutex);
 
 	return NOTIFY_DONE;
@@ -10148,7 +10161,7 @@ static void nf_tables_commit_release(struct net *net)
 	mutex_unlock(&nft_net->commit_mutex);
 }
 
-static void nft_commit_notify(struct net *net, u32 portid)
+void nft_commit_notify(struct net *net, u32 portid)
 {
 	struct nftables_pernet *nft_net = nft_pernet(net);
 	struct sk_buff *batch_skb = NULL, *nskb, *skb;
diff --git a/net/netfilter/nft_chain_filter.c b/net/netfilter/nft_chain_filter.c
index cc0cf47503f4..f6bea21dab16 100644
--- a/net/netfilter/nft_chain_filter.c
+++ b/net/netfilter/nft_chain_filter.c
@@ -342,6 +342,7 @@ static void nft_netdev_event(unsigned long event, struct net_device *dev,
 {
 	struct nft_base_chain *basechain = nft_base_chain(ctx->chain);
 	struct nft_hook *hook;
+	bool notify = false;
 
 	if (event != NETDEV_UNREGISTER &&
 	    event != NETDEV_REGISTER)
@@ -350,21 +351,29 @@ static void nft_netdev_event(unsigned long event, struct net_device *dev,
 	list_for_each_entry(hook, &basechain->hook_list, list) {
 		switch (event) {
 		case NETDEV_UNREGISTER:
-			if (hook->ops.dev == dev)
+			if (hook->ops.dev == dev) {
 				nft_netdev_hook_dev_update(hook, NULL);
+				notify = true;
+			}
 			break;
 		case NETDEV_REGISTER:
 			if (hook->ops.dev ||
 			    strncmp(hook->ifname, dev->name, hook->ifnamelen))
 				break;
-			if (!nft_netdev_hook_dev_update(hook, dev))
-				return;
+			if (!nft_netdev_hook_dev_update(hook, dev)) {
+				notify = true;
+				goto out_notify;
+			}
 
 			printk(KERN_ERR "chain %s: Can't hook into device %s\n",
 			       ctx->chain->name, dev->name);
 			break;
 		}
 	}
+out_notify:
+	if (notify)
+		nf_tables_chain_notify(ctx, NFT_MSG_NEWCHAIN,
+				       &basechain->hook_list);
 }
 
 static int nf_tables_netdev_event(struct notifier_block *this,
@@ -409,6 +418,7 @@ static int nf_tables_netdev_event(struct notifier_block *this,
 			nft_netdev_event(event, dev, &ctx);
 		}
 	}
+	nft_commit_notify(ctx.net, ctx.portid);
 	mutex_unlock(&nft_net->commit_mutex);
 
 	return NOTIFY_DONE;
-- 
2.43.0
[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux