netfilter: nf_tables: add support for dynamic set updates

Add a new "dynset" expression for dynamic set updates. A new set op ->update() is added which, for non existant elements, invokes an initialization callback and inserts the new element. For both new or existing elements the extenstion pointer is returned to the caller to optionally perform timer updates or other actions. Element removal is not supported so far, however that seems to be a rather exotic need and can be added later on. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Patrick McHardy <kaber@trash.net> 2015-04-05 08:41:08 -0400
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2015-04-08 10:58:27 -0400
commit: 22fe54d5fefcfa98c58cc2f4607dd26d9648b3f5 (patch)
tree: 153c791a6efb2c0eb7aca4baecb84cb76199b706 /net
parent: 11113e190bf0ad73086884f87efccc994ff28b3d (diff)
5 files changed, 268 insertions, 6 deletions
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 89f73a9e9874..a87d8b8ec730 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -70,7 +70,7 @@ obj-$(CONFIG_NETFILTER_SYNPROXY) += nf_synproxy_core.o
 # nf_tables
 nf_tables-objs += nf_tables_core.o nf_tables_api.o
-nf_tables-objs += nft_immediate.o nft_cmp.o nft_lookup.o
+nf_tables-objs += nft_immediate.o nft_cmp.o nft_lookup.o nft_dynset.o
 nf_tables-objs += nft_bitwise.o nft_byteorder.o nft_payload.o
 obj-$(CONFIG_NF_TABLES)         += nf_tables.o
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 90b898491da7..598e53eb64b3 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -3183,11 +3183,11 @@ static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
        return trans;
 }
-static void *nft_set_elem_init(const struct nft_set *set,
+void *nft_set_elem_init(const struct nft_set *set,
-                               const struct nft_set_ext_tmpl *tmpl,
+                        const struct nft_set_ext_tmpl *tmpl,
-                               const struct nft_data *key,
+                        const struct nft_data *key,
-                               const struct nft_data *data,
+                        const struct nft_data *data,
-                               u64 timeout, gfp_t gfp)
+                        u64 timeout, gfp_t gfp)
 {
        struct nft_set_ext *ext;
        void *elem;
diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c
index ef4dfcbaf149..7caf08a9225d 100644
--- a/net/netfilter/nf_tables_core.c
+++ b/net/netfilter/nf_tables_core.c
@@ -239,8 +239,14 @@ int __init nf_tables_core_module_init(void)
        if (err < 0)
                goto err6;
+        err = nft_dynset_module_init();
+        if (err < 0)
+                goto err7;
        return 0;
+err7:
+        nft_payload_module_exit();
 err6:
        nft_byteorder_module_exit();
 err5:
@@ -257,6 +263,7 @@ err1:
 void nf_tables_core_module_exit(void)
 {
+        nft_dynset_module_exit();
        nft_payload_module_exit();
        nft_byteorder_module_exit();
        nft_bitwise_module_exit();
diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c
new file mode 100644
index 000000000000..eeb72dee78ef
--- /dev/null
+++ b/net/netfilter/nft_dynset.c
@@ -0,0 +1,218 @@
+/*
+ * Copyright (c) 2015 Patrick McHardy <kaber@trash.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ */
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/init.h>
+#include <linux/netlink.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter/nf_tables.h>
+#include <net/netfilter/nf_tables.h>
+#include <net/netfilter/nf_tables_core.h>
+struct nft_dynset {
+        struct nft_set                  *set;
+        struct nft_set_ext_tmpl         tmpl;
+        enum nft_dynset_ops             op:8;
+        enum nft_registers              sreg_key:8;
+        enum nft_registers              sreg_data:8;
+        u64                             timeout;
+        struct nft_set_binding          binding;
+};
+static void *nft_dynset_new(struct nft_set *set, const struct nft_expr *expr,
+                            struct nft_data data[NFT_REG_MAX + 1])
+{
+        const struct nft_dynset *priv = nft_expr_priv(expr);
+        u64 timeout;
+        void *elem;
+        if (set->size && !atomic_add_unless(&set->nelems, 1, set->size))
+                return NULL;
+        timeout = priv->timeout ? : set->timeout;
+        elem = nft_set_elem_init(set, &priv->tmpl,
+                                 &data[priv->sreg_key], &data[priv->sreg_data],
+                                 timeout, GFP_ATOMIC);
+        if (elem == NULL) {
+                if (set->size)
+                        atomic_dec(&set->nelems);
+        }
+        return elem;
+}
+static void nft_dynset_eval(const struct nft_expr *expr,
+                            struct nft_data data[NFT_REG_MAX + 1],
+                            const struct nft_pktinfo *pkt)
+{
+        const struct nft_dynset *priv = nft_expr_priv(expr);
+        struct nft_set *set = priv->set;
+        const struct nft_set_ext *ext;
+        u64 timeout;
+        if (set->ops->update(set, &data[priv->sreg_key], nft_dynset_new,
+                             expr, data, &ext)) {
+                if (priv->op == NFT_DYNSET_OP_UPDATE &&
+                    nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
+                        timeout = priv->timeout ? : set->timeout;
+                        *nft_set_ext_expiration(ext) = jiffies + timeout;
+                        return;
+                }
+        }
+        data[NFT_REG_VERDICT].verdict = NFT_BREAK;
+}
+static const struct nla_policy nft_dynset_policy[NFTA_DYNSET_MAX + 1] = {
+        [NFTA_DYNSET_SET_NAME]  = { .type = NLA_STRING },
+        [NFTA_DYNSET_SET_ID]    = { .type = NLA_U32 },
+        [NFTA_DYNSET_OP]        = { .type = NLA_U32 },
+        [NFTA_DYNSET_SREG_KEY]  = { .type = NLA_U32 },
+        [NFTA_DYNSET_SREG_DATA] = { .type = NLA_U32 },
+        [NFTA_DYNSET_TIMEOUT]   = { .type = NLA_U64 },
+};
+static int nft_dynset_init(const struct nft_ctx *ctx,
+                           const struct nft_expr *expr,
+                           const struct nlattr * const tb[])
+{
+        struct nft_dynset *priv = nft_expr_priv(expr);
+        struct nft_set *set;
+        u64 timeout;
+        int err;
+        if (tb[NFTA_DYNSET_SET_NAME] == NULL ||
+            tb[NFTA_DYNSET_OP] == NULL ||
+            tb[NFTA_DYNSET_SREG_KEY] == NULL)
+                return -EINVAL;
+        set = nf_tables_set_lookup(ctx->table, tb[NFTA_DYNSET_SET_NAME]);
+        if (IS_ERR(set)) {
+                if (tb[NFTA_DYNSET_SET_ID])
+                        set = nf_tables_set_lookup_byid(ctx->net,
+                                                        tb[NFTA_DYNSET_SET_ID]);
+                if (IS_ERR(set))
+                        return PTR_ERR(set);
+        }
+        if (set->flags & NFT_SET_CONSTANT)
+                return -EBUSY;
+        priv->op = ntohl(nla_get_be32(tb[NFTA_DYNSET_OP]));
+        switch (priv->op) {
+        case NFT_DYNSET_OP_ADD:
+                break;
+        case NFT_DYNSET_OP_UPDATE:
+                if (!(set->flags & NFT_SET_TIMEOUT))
+                        return -EOPNOTSUPP;
+                break;
+        default:
+                return -EOPNOTSUPP;
+        }
+        timeout = 0;
+        if (tb[NFTA_DYNSET_TIMEOUT] != NULL) {
+                if (!(set->flags & NFT_SET_TIMEOUT))
+                        return -EINVAL;
+                timeout = be64_to_cpu(nla_get_be64(tb[NFTA_DYNSET_TIMEOUT]));
+        }
+        priv->sreg_key = ntohl(nla_get_be32(tb[NFTA_DYNSET_SREG_KEY]));
+        err = nft_validate_input_register(priv->sreg_key);
+        if (err < 0)
+                return err;
+        if (tb[NFTA_DYNSET_SREG_DATA] != NULL) {
+                if (!(set->flags & NFT_SET_MAP))
+                        return -EINVAL;
+                if (set->dtype == NFT_DATA_VERDICT)
+                        return -EOPNOTSUPP;
+                priv->sreg_data = ntohl(nla_get_be32(tb[NFTA_DYNSET_SREG_DATA]));
+                err = nft_validate_input_register(priv->sreg_data);
+                if (err < 0)
+                        return err;
+        } else if (set->flags & NFT_SET_MAP)
+                return -EINVAL;
+        nft_set_ext_prepare(&priv->tmpl);
+        nft_set_ext_add_length(&priv->tmpl, NFT_SET_EXT_KEY, set->klen);
+        if (set->flags & NFT_SET_MAP)
+                nft_set_ext_add_length(&priv->tmpl, NFT_SET_EXT_DATA, set->dlen);
+        if (set->flags & NFT_SET_TIMEOUT) {
+                if (timeout || set->timeout)
+                        nft_set_ext_add(&priv->tmpl, NFT_SET_EXT_EXPIRATION);
+        }
+        priv->timeout = timeout;
+        err = nf_tables_bind_set(ctx, set, &priv->binding);
+        if (err < 0)
+                return err;
+        priv->set = set;
+        return 0;
+}
+static void nft_dynset_destroy(const struct nft_ctx *ctx,
+                               const struct nft_expr *expr)
+{
+        struct nft_dynset *priv = nft_expr_priv(expr);
+        nf_tables_unbind_set(ctx, priv->set, &priv->binding);
+}
+static int nft_dynset_dump(struct sk_buff *skb, const struct nft_expr *expr)
+{
+        const struct nft_dynset *priv = nft_expr_priv(expr);
+        if (nla_put_be32(skb, NFTA_DYNSET_SREG_KEY, htonl(priv->sreg_key)))
+                goto nla_put_failure;
+        if (priv->set->flags & NFT_SET_MAP &&
+            nla_put_be32(skb, NFTA_DYNSET_SREG_DATA, htonl(priv->sreg_data)))
+                goto nla_put_failure;
+        if (nla_put_be32(skb, NFTA_DYNSET_OP, htonl(priv->op)))
+                goto nla_put_failure;
+        if (nla_put_string(skb, NFTA_DYNSET_SET_NAME, priv->set->name))
+                goto nla_put_failure;
+        if (nla_put_be64(skb, NFTA_DYNSET_TIMEOUT, cpu_to_be64(priv->timeout)))
+                goto nla_put_failure;
+        return 0;
+nla_put_failure:
+        return -1;
+}
+static struct nft_expr_type nft_dynset_type;
+static const struct nft_expr_ops nft_dynset_ops = {
+        .type           = &nft_dynset_type,
+        .size           = NFT_EXPR_SIZE(sizeof(struct nft_dynset)),
+        .eval           = nft_dynset_eval,
+        .init           = nft_dynset_init,
+        .destroy        = nft_dynset_destroy,
+        .dump           = nft_dynset_dump,
+};
+static struct nft_expr_type nft_dynset_type __read_mostly = {
+        .name           = "dynset",
+        .ops            = &nft_dynset_ops,
+        .policy         = nft_dynset_policy,
+        .maxattr        = NFTA_DYNSET_MAX,
+        .owner          = THIS_MODULE,
+};
+int __init nft_dynset_module_init(void)
+{
+        return nft_register_expr(&nft_dynset_type);
+}
+void nft_dynset_module_exit(void)
+{
+        nft_unregister_expr(&nft_dynset_type);
+}
diff --git a/net/netfilter/nft_hash.c b/net/netfilter/nft_hash.c
index c74e2bf1a1e4..bc23806b7fbe 100644
--- a/net/netfilter/nft_hash.c
+++ b/net/netfilter/nft_hash.c
@@ -90,6 +90,42 @@ static bool nft_hash_lookup(const struct nft_set *set,
        return !!he;
 }
+static bool nft_hash_update(struct nft_set *set, const struct nft_data *key,
+                            void *(*new)(struct nft_set *,
+                                         const struct nft_expr *,
+                                         struct nft_data []),
+                            const struct nft_expr *expr,
+                            struct nft_data data[],
+                            const struct nft_set_ext **ext)
+{
+        struct nft_hash *priv = nft_set_priv(set);
+        struct nft_hash_elem *he;
+        struct nft_hash_cmp_arg arg = {
+                .genmask = NFT_GENMASK_ANY,
+                .set     = set,
+                .key     = key,
+        };
+        he = rhashtable_lookup_fast(&priv->ht, &arg, nft_hash_params);
+        if (he != NULL)
+                goto out;
+        he = new(set, expr, data);
+        if (he == NULL)
+                goto err1;
+        if (rhashtable_lookup_insert_key(&priv->ht, &arg, &he->node,
+                                         nft_hash_params))
+                goto err2;
+out:
+        *ext = &he->ext;
+        return true;
+err2:
+        nft_set_elem_destroy(set, he);
+err1:
+        return false;
+}
 static int nft_hash_insert(const struct nft_set *set,
                           const struct nft_set_elem *elem)
 {
@@ -335,6 +371,7 @@ static struct nft_set_ops nft_hash_ops __read_mostly = {
        .deactivate     = nft_hash_deactivate,
        .remove         = nft_hash_remove,
        .lookup         = nft_hash_lookup,
+        .update         = nft_hash_update,
        .walk           = nft_hash_walk,
        .features       = NFT_SET_MAP | NFT_SET_TIMEOUT,
        .owner          = THIS_MODULE,
author	Patrick McHardy <kaber@trash.net>	2015-04-05 08:41:08 -0400
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2015-04-08 10:58:27 -0400
commit	22fe54d5fefcfa98c58cc2f4607dd26d9648b3f5 (patch)
tree	153c791a6efb2c0eb7aca4baecb84cb76199b706 /net
parent	11113e190bf0ad73086884f87efccc994ff28b3d (diff)

diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile index 89f73a9e9874..a87d8b8ec730 100644 --- a/net/netfilter/Makefile +++ b/net/netfilter/Makefile
@@ -70,7 +70,7 @@ obj-$(CONFIG_NETFILTER_SYNPROXY) += nf_synproxy_core.o
70		70
71	# nf_tables	71	# nf_tables
72	nf_tables-objs += nf_tables_core.o nf_tables_api.o	72	nf_tables-objs += nf_tables_core.o nf_tables_api.o
73	nf_tables-objs += nft_immediate.o nft_cmp.o nft_lookup.o	73	nf_tables-objs += nft_immediate.o nft_cmp.o nft_lookup.o nft_dynset.o
74	nf_tables-objs += nft_bitwise.o nft_byteorder.o nft_payload.o	74	nf_tables-objs += nft_bitwise.o nft_byteorder.o nft_payload.o
75		75
76	obj-$(CONFIG_NF_TABLES) += nf_tables.o	76	obj-$(CONFIG_NF_TABLES) += nf_tables.o


diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 90b898491da7..598e53eb64b3 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c
@@ -3183,11 +3183,11 @@ static struct nft_trans nft_trans_elem_alloc(struct nft_ctx ctx,
3183	return trans;	3183	return trans;
3184	}	3184	}
3185		3185
3186	static void nft_set_elem_init(const struct nft_set set,	3186	void nft_set_elem_init(const struct nft_set set,
3187	const struct nft_set_ext_tmpl *tmpl,	3187	const struct nft_set_ext_tmpl *tmpl,
3188	const struct nft_data *key,	3188	const struct nft_data *key,
3189	const struct nft_data *data,	3189	const struct nft_data *data,
3190	u64 timeout, gfp_t gfp)	3190	u64 timeout, gfp_t gfp)
3191	{	3191	{
3192	struct nft_set_ext *ext;	3192	struct nft_set_ext *ext;
3193	void *elem;	3193	void *elem;


diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c index ef4dfcbaf149..7caf08a9225d 100644 --- a/net/netfilter/nf_tables_core.c +++ b/net/netfilter/nf_tables_core.c
@@ -239,8 +239,14 @@ int __init nf_tables_core_module_init(void)
239	if (err < 0)	239	if (err < 0)
240	goto err6;	240	goto err6;
241		241
		242	err = nft_dynset_module_init();
		243	if (err < 0)
		244	goto err7;
		245
242	return 0;	246	return 0;
243		247
		248	err7:
		249	nft_payload_module_exit();
244	err6:	250	err6:
245	nft_byteorder_module_exit();	251	nft_byteorder_module_exit();
246	err5:	252	err5:
@@ -257,6 +263,7 @@ err1:
257		263
258	void nf_tables_core_module_exit(void)	264	void nf_tables_core_module_exit(void)
259	{	265	{
		266	nft_dynset_module_exit();
260	nft_payload_module_exit();	267	nft_payload_module_exit();
261	nft_byteorder_module_exit();	268	nft_byteorder_module_exit();
262	nft_bitwise_module_exit();	269	nft_bitwise_module_exit();


diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c new file mode 100644 index 000000000000..eeb72dee78ef --- /dev/null +++ b/net/netfilter/nft_dynset.c
@@ -0,0 +1,218 @@
		1	/*
		2	* Copyright (c) 2015 Patrick McHardy <kaber@trash.net>
		3	*
		4	* This program is free software; you can redistribute it and/or modify
		5	* it under the terms of the GNU General Public License version 2 as
		6	* published by the Free Software Foundation.
		7	*
		8	*/
		9
		10	#include <linux/kernel.h>
		11	#include <linux/module.h>
		12	#include <linux/init.h>
		13	#include <linux/netlink.h>
		14	#include <linux/netfilter.h>
		15	#include <linux/netfilter/nf_tables.h>
		16	#include <net/netfilter/nf_tables.h>
		17	#include <net/netfilter/nf_tables_core.h>
		18
		19	struct nft_dynset {
		20	struct nft_set *set;
		21	struct nft_set_ext_tmpl tmpl;
		22	enum nft_dynset_ops op:8;
		23	enum nft_registers sreg_key:8;
		24	enum nft_registers sreg_data:8;
		25	u64 timeout;
		26	struct nft_set_binding binding;
		27	};
		28
		29	static void nft_dynset_new(struct nft_set set, const struct nft_expr *expr,
		30	struct nft_data data[NFT_REG_MAX + 1])
		31	{
		32	const struct nft_dynset *priv = nft_expr_priv(expr);
		33	u64 timeout;
		34	void *elem;
		35
		36	if (set->size && !atomic_add_unless(&set->nelems, 1, set->size))
		37	return NULL;
		38
		39	timeout = priv->timeout ? : set->timeout;
		40	elem = nft_set_elem_init(set, &priv->tmpl,
		41	&data[priv->sreg_key], &data[priv->sreg_data],
		42	timeout, GFP_ATOMIC);
		43	if (elem == NULL) {
		44	if (set->size)
		45	atomic_dec(&set->nelems);
		46	}
		47	return elem;
		48	}
		49
		50	static void nft_dynset_eval(const struct nft_expr *expr,
		51	struct nft_data data[NFT_REG_MAX + 1],
		52	const struct nft_pktinfo *pkt)
		53	{
		54	const struct nft_dynset *priv = nft_expr_priv(expr);
		55	struct nft_set *set = priv->set;
		56	const struct nft_set_ext *ext;
		57	u64 timeout;
		58
		59	if (set->ops->update(set, &data[priv->sreg_key], nft_dynset_new,
		60	expr, data, &ext)) {
		61	if (priv->op == NFT_DYNSET_OP_UPDATE &&
		62	nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
		63	timeout = priv->timeout ? : set->timeout;
		64	*nft_set_ext_expiration(ext) = jiffies + timeout;
		65	return;
		66	}
		67	}
		68
		69	data[NFT_REG_VERDICT].verdict = NFT_BREAK;
		70	}
		71
		72	static const struct nla_policy nft_dynset_policy[NFTA_DYNSET_MAX + 1] = {
		73	[NFTA_DYNSET_SET_NAME] = { .type = NLA_STRING },
		74	[NFTA_DYNSET_SET_ID] = { .type = NLA_U32 },
		75	[NFTA_DYNSET_OP] = { .type = NLA_U32 },
		76	[NFTA_DYNSET_SREG_KEY] = { .type = NLA_U32 },
		77	[NFTA_DYNSET_SREG_DATA] = { .type = NLA_U32 },
		78	[NFTA_DYNSET_TIMEOUT] = { .type = NLA_U64 },
		79	};
		80
		81	static int nft_dynset_init(const struct nft_ctx *ctx,
		82	const struct nft_expr *expr,
		83	const struct nlattr * const tb[])
		84	{
		85	struct nft_dynset *priv = nft_expr_priv(expr);
		86	struct nft_set *set;
		87	u64 timeout;
		88	int err;
		89
		90	if (tb[NFTA_DYNSET_SET_NAME] == NULL \|\|
		91	tb[NFTA_DYNSET_OP] == NULL \|\|
		92	tb[NFTA_DYNSET_SREG_KEY] == NULL)
		93	return -EINVAL;
		94
		95	set = nf_tables_set_lookup(ctx->table, tb[NFTA_DYNSET_SET_NAME]);
		96	if (IS_ERR(set)) {
		97	if (tb[NFTA_DYNSET_SET_ID])
		98	set = nf_tables_set_lookup_byid(ctx->net,
		99	tb[NFTA_DYNSET_SET_ID]);
		100	if (IS_ERR(set))
		101	return PTR_ERR(set);
		102	}
		103
		104	if (set->flags & NFT_SET_CONSTANT)
		105	return -EBUSY;
		106
		107	priv->op = ntohl(nla_get_be32(tb[NFTA_DYNSET_OP]));
		108	switch (priv->op) {
		109	case NFT_DYNSET_OP_ADD:
		110	break;
		111	case NFT_DYNSET_OP_UPDATE:
		112	if (!(set->flags & NFT_SET_TIMEOUT))
		113	return -EOPNOTSUPP;
		114	break;
		115	default:
		116	return -EOPNOTSUPP;
		117	}
		118
		119	timeout = 0;
		120	if (tb[NFTA_DYNSET_TIMEOUT] != NULL) {
		121	if (!(set->flags & NFT_SET_TIMEOUT))
		122	return -EINVAL;
		123	timeout = be64_to_cpu(nla_get_be64(tb[NFTA_DYNSET_TIMEOUT]));
		124	}
		125
		126	priv->sreg_key = ntohl(nla_get_be32(tb[NFTA_DYNSET_SREG_KEY]));
		127	err = nft_validate_input_register(priv->sreg_key);
		128	if (err < 0)
		129	return err;
		130
		131	if (tb[NFTA_DYNSET_SREG_DATA] != NULL) {
		132	if (!(set->flags & NFT_SET_MAP))
		133	return -EINVAL;
		134	if (set->dtype == NFT_DATA_VERDICT)
		135	return -EOPNOTSUPP;
		136
		137	priv->sreg_data = ntohl(nla_get_be32(tb[NFTA_DYNSET_SREG_DATA]));
		138	err = nft_validate_input_register(priv->sreg_data);
		139	if (err < 0)
		140	return err;
		141	} else if (set->flags & NFT_SET_MAP)
		142	return -EINVAL;
		143
		144	nft_set_ext_prepare(&priv->tmpl);
		145	nft_set_ext_add_length(&priv->tmpl, NFT_SET_EXT_KEY, set->klen);
		146	if (set->flags & NFT_SET_MAP)
		147	nft_set_ext_add_length(&priv->tmpl, NFT_SET_EXT_DATA, set->dlen);
		148	if (set->flags & NFT_SET_TIMEOUT) {
		149	if (timeout \|\| set->timeout)
		150	nft_set_ext_add(&priv->tmpl, NFT_SET_EXT_EXPIRATION);
		151	}
		152
		153	priv->timeout = timeout;
		154
		155	err = nf_tables_bind_set(ctx, set, &priv->binding);
		156	if (err < 0)
		157	return err;
		158
		159	priv->set = set;
		160	return 0;
		161	}
		162
		163	static void nft_dynset_destroy(const struct nft_ctx *ctx,
		164	const struct nft_expr *expr)
		165	{
		166	struct nft_dynset *priv = nft_expr_priv(expr);
		167
		168	nf_tables_unbind_set(ctx, priv->set, &priv->binding);
		169	}
		170
		171	static int nft_dynset_dump(struct sk_buff skb, const struct nft_expr expr)
		172	{
		173	const struct nft_dynset *priv = nft_expr_priv(expr);
		174
		175	if (nla_put_be32(skb, NFTA_DYNSET_SREG_KEY, htonl(priv->sreg_key)))
		176	goto nla_put_failure;
		177	if (priv->set->flags & NFT_SET_MAP &&
		178	nla_put_be32(skb, NFTA_DYNSET_SREG_DATA, htonl(priv->sreg_data)))
		179	goto nla_put_failure;
		180	if (nla_put_be32(skb, NFTA_DYNSET_OP, htonl(priv->op)))
		181	goto nla_put_failure;
		182	if (nla_put_string(skb, NFTA_DYNSET_SET_NAME, priv->set->name))
		183	goto nla_put_failure;
		184	if (nla_put_be64(skb, NFTA_DYNSET_TIMEOUT, cpu_to_be64(priv->timeout)))
		185	goto nla_put_failure;
		186	return 0;
		187
		188	nla_put_failure:
		189	return -1;
		190	}
		191
		192	static struct nft_expr_type nft_dynset_type;
		193	static const struct nft_expr_ops nft_dynset_ops = {
		194	.type = &nft_dynset_type,
		195	.size = NFT_EXPR_SIZE(sizeof(struct nft_dynset)),
		196	.eval = nft_dynset_eval,
		197	.init = nft_dynset_init,
		198	.destroy = nft_dynset_destroy,
		199	.dump = nft_dynset_dump,
		200	};
		201
		202	static struct nft_expr_type nft_dynset_type __read_mostly = {
		203	.name = "dynset",
		204	.ops = &nft_dynset_ops,
		205	.policy = nft_dynset_policy,
		206	.maxattr = NFTA_DYNSET_MAX,
		207	.owner = THIS_MODULE,
		208	};
		209
		210	int __init nft_dynset_module_init(void)
		211	{
		212	return nft_register_expr(&nft_dynset_type);
		213	}
		214
		215	void nft_dynset_module_exit(void)
		216	{
		217	nft_unregister_expr(&nft_dynset_type);
		218	}


diff --git a/net/netfilter/nft_hash.c b/net/netfilter/nft_hash.c index c74e2bf1a1e4..bc23806b7fbe 100644 --- a/net/netfilter/nft_hash.c +++ b/net/netfilter/nft_hash.c
@@ -90,6 +90,42 @@ static bool nft_hash_lookup(const struct nft_set *set,
90	return !!he;	90	return !!he;
91	}	91	}
92		92
		93	static bool nft_hash_update(struct nft_set set, const struct nft_data key,
		94	void (new)(struct nft_set *,
		95	const struct nft_expr *,
		96	struct nft_data []),
		97	const struct nft_expr *expr,
		98	struct nft_data data[],
		99	const struct nft_set_ext **ext)
		100	{
		101	struct nft_hash *priv = nft_set_priv(set);
		102	struct nft_hash_elem *he;
		103	struct nft_hash_cmp_arg arg = {
		104	.genmask = NFT_GENMASK_ANY,
		105	.set = set,
		106	.key = key,
		107	};
		108
		109	he = rhashtable_lookup_fast(&priv->ht, &arg, nft_hash_params);
		110	if (he != NULL)
		111	goto out;
		112
		113	he = new(set, expr, data);
		114	if (he == NULL)
		115	goto err1;
		116	if (rhashtable_lookup_insert_key(&priv->ht, &arg, &he->node,
		117	nft_hash_params))
		118	goto err2;
		119	out:
		120	*ext = &he->ext;
		121	return true;
		122
		123	err2:
		124	nft_set_elem_destroy(set, he);
		125	err1:
		126	return false;
		127	}
		128
93	static int nft_hash_insert(const struct nft_set *set,	129	static int nft_hash_insert(const struct nft_set *set,
94	const struct nft_set_elem *elem)	130	const struct nft_set_elem *elem)
95	{	131	{
@@ -335,6 +371,7 @@ static struct nft_set_ops nft_hash_ops __read_mostly = {
335	.deactivate = nft_hash_deactivate,	371	.deactivate = nft_hash_deactivate,
336	.remove = nft_hash_remove,	372	.remove = nft_hash_remove,
337	.lookup = nft_hash_lookup,	373	.lookup = nft_hash_lookup,
		374	.update = nft_hash_update,
338	.walk = nft_hash_walk,	375	.walk = nft_hash_walk,
339	.features = NFT_SET_MAP \| NFT_SET_TIMEOUT,	376	.features = NFT_SET_MAP \| NFT_SET_TIMEOUT,
340	.owner = THIS_MODULE,	377	.owner = THIS_MODULE,