Skip to content

Commit aaa3104

Browse files
ummakynesummakynes
committed
netfilter: nftables: add catch-all set element support
This patch extends the set infrastructure to add a special catch-all set element. If the lookup fails to find an element (or range) in the set, then the catch-all element is selected. Users can specify a mapping, expression(s) and timeout to be attached to the catch-all element. This patch adds a catchall list to the set, this list might contain more than one single catch-all element (e.g. in case that the catch-all element is removed and a new one is added in the same transaction). However, most of the time, there will be either one element or no elements at all in this list. The catch-all element is identified via NFT_SET_ELEM_CATCHALL flag and such special element has no NFTA_SET_ELEM_KEY attribute. There is a new nft_set_elem_catchall object that stores a reference to the dummy catch-all element (catchall->elem) whose layout is the same of the set element type to reuse the existing set element codebase. The set size does not apply to the catch-all element, users can define a catch-all element even if the set is full. The check for valid set element flags hava been updates to report EOPNOTSUPP in case userspace requests flags that are not supported when using new userspace nftables and old kernel. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
1 parent 97c976d commit aaa3104

File tree

8 files changed

+465
-63
lines changed

8 files changed

+465
-63
lines changed

include/net/netfilter/nf_tables.h

+5
Original file line numberDiff line numberDiff line change
@@ -497,6 +497,7 @@ struct nft_set {
497497
u8 dlen;
498498
u8 num_exprs;
499499
struct nft_expr *exprs[NFT_SET_EXPR_MAX];
500+
struct list_head catchall_list;
500501
unsigned char data[]
501502
__attribute__((aligned(__alignof__(u64))));
502503
};
@@ -522,6 +523,10 @@ struct nft_set *nft_set_lookup_global(const struct net *net,
522523
const struct nlattr *nla_set_id,
523524
u8 genmask);
524525

526+
struct nft_set_ext *nft_set_catchall_lookup(const struct net *net,
527+
const struct nft_set *set);
528+
void *nft_set_catchall_gc(const struct nft_set *set);
529+
525530
static inline unsigned long nft_set_gc_interval(const struct nft_set *set)
526531
{
527532
return set->gc_int ? msecs_to_jiffies(set->gc_int) : HZ;

include/uapi/linux/netfilter/nf_tables.h

+2
Original file line numberDiff line numberDiff line change
@@ -398,9 +398,11 @@ enum nft_set_attributes {
398398
* enum nft_set_elem_flags - nf_tables set element flags
399399
*
400400
* @NFT_SET_ELEM_INTERVAL_END: element ends the previous interval
401+
* @NFT_SET_ELEM_CATCHALL: special catch-all element
401402
*/
402403
enum nft_set_elem_flags {
403404
NFT_SET_ELEM_INTERVAL_END = 0x1,
405+
NFT_SET_ELEM_CATCHALL = 0x2,
404406
};
405407

406408
/**

0 commit comments

Comments
 (0)