diff options
| author | Patrick McHardy <kaber@trash.net> | 2015-04-11 05:46:41 -0400 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2015-04-13 14:12:32 -0400 |
| commit | 7c6c6e95a12e46f499749bdd496e53d03950f377 (patch) | |
| tree | 40afe68a6cd068af4e5102ec4989e57dbfe3e762 | |
| parent | 151d799a61da1b6f6b7e5116fb776177917bbe9a (diff) | |
netfilter: nf_tables: add flag to indicate set contains expressions
Add a set flag to indicate that the set is used as a state table and
contains expressions for evaluation. This operation is mutually
exclusive with the mapping operation, so sets specifying both are
rejected. The lookup expression also rejects binding to state tables
since it only deals with loopup and map operations.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| -rw-r--r-- | include/uapi/linux/netfilter/nf_tables.h | 2 | ||||
| -rw-r--r-- | net/netfilter/nf_tables_api.c | 8 | ||||
| -rw-r--r-- | net/netfilter/nft_lookup.c | 3 |
3 files changed, 11 insertions, 2 deletions
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h index f9c5af22a6af..48942381d02f 100644 --- a/include/uapi/linux/netfilter/nf_tables.h +++ b/include/uapi/linux/netfilter/nf_tables.h | |||
| @@ -238,6 +238,7 @@ enum nft_rule_compat_attributes { | |||
| 238 | * @NFT_SET_INTERVAL: set contains intervals | 238 | * @NFT_SET_INTERVAL: set contains intervals |
| 239 | * @NFT_SET_MAP: set is used as a dictionary | 239 | * @NFT_SET_MAP: set is used as a dictionary |
| 240 | * @NFT_SET_TIMEOUT: set uses timeouts | 240 | * @NFT_SET_TIMEOUT: set uses timeouts |
| 241 | * @NFT_SET_EVAL: set contains expressions for evaluation | ||
| 241 | */ | 242 | */ |
| 242 | enum nft_set_flags { | 243 | enum nft_set_flags { |
| 243 | NFT_SET_ANONYMOUS = 0x1, | 244 | NFT_SET_ANONYMOUS = 0x1, |
| @@ -245,6 +246,7 @@ enum nft_set_flags { | |||
| 245 | NFT_SET_INTERVAL = 0x4, | 246 | NFT_SET_INTERVAL = 0x4, |
| 246 | NFT_SET_MAP = 0x8, | 247 | NFT_SET_MAP = 0x8, |
| 247 | NFT_SET_TIMEOUT = 0x10, | 248 | NFT_SET_TIMEOUT = 0x10, |
| 249 | NFT_SET_EVAL = 0x20, | ||
| 248 | }; | 250 | }; |
| 249 | 251 | ||
| 250 | /** | 252 | /** |
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 8830811550ec..78af83bc9c8e 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c | |||
| @@ -2661,9 +2661,13 @@ static int nf_tables_newset(struct sock *nlsk, struct sk_buff *skb, | |||
| 2661 | if (nla[NFTA_SET_FLAGS] != NULL) { | 2661 | if (nla[NFTA_SET_FLAGS] != NULL) { |
| 2662 | flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS])); | 2662 | flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS])); |
| 2663 | if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT | | 2663 | if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT | |
| 2664 | NFT_SET_INTERVAL | NFT_SET_MAP | | 2664 | NFT_SET_INTERVAL | NFT_SET_TIMEOUT | |
| 2665 | NFT_SET_TIMEOUT)) | 2665 | NFT_SET_MAP | NFT_SET_EVAL)) |
| 2666 | return -EINVAL; | 2666 | return -EINVAL; |
| 2667 | /* Only one of both operations is supported */ | ||
| 2668 | if ((flags & (NFT_SET_MAP | NFT_SET_EVAL)) == | ||
| 2669 | (NFT_SET_MAP | NFT_SET_EVAL)) | ||
| 2670 | return -EOPNOTSUPP; | ||
| 2667 | } | 2671 | } |
| 2668 | 2672 | ||
| 2669 | dtype = 0; | 2673 | dtype = 0; |
diff --git a/net/netfilter/nft_lookup.c b/net/netfilter/nft_lookup.c index ba1466209f2a..b3c31ef8015d 100644 --- a/net/netfilter/nft_lookup.c +++ b/net/netfilter/nft_lookup.c | |||
| @@ -71,6 +71,9 @@ static int nft_lookup_init(const struct nft_ctx *ctx, | |||
| 71 | return PTR_ERR(set); | 71 | return PTR_ERR(set); |
| 72 | } | 72 | } |
| 73 | 73 | ||
| 74 | if (set->flags & NFT_SET_EVAL) | ||
| 75 | return -EOPNOTSUPP; | ||
| 76 | |||
| 74 | priv->sreg = nft_parse_register(tb[NFTA_LOOKUP_SREG]); | 77 | priv->sreg = nft_parse_register(tb[NFTA_LOOKUP_SREG]); |
| 75 | err = nft_validate_register_load(priv->sreg, set->klen); | 78 | err = nft_validate_register_load(priv->sreg, set->klen); |
| 76 | if (err < 0) | 79 | if (err < 0) |