Skip to content

Commit 00c320f

Browse files
Florian Westphalummakynes
Florian Westphal
authored and
ummakynes
committed
netfilter: nf_tables: make validation state per table
We only need to validate tables that saw changes in the current transaction. The existing code revalidates all tables, but this isn't needed as cross-table jumps are not allowed (chains have table scope). Signed-off-by: Florian Westphal <[email protected]> Signed-off-by: Pablo Neira Ayuso <[email protected]>
1 parent 9a32e98 commit 00c320f

File tree

2 files changed

+20
-21
lines changed

2 files changed

+20
-21
lines changed

include/net/netfilter/nf_tables.h

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1209,6 +1209,7 @@ unsigned int nft_do_chain(struct nft_pktinfo *pkt, void *priv);
12091209
* @genmask: generation mask
12101210
* @afinfo: address family info
12111211
* @name: name of the table
1212+
* @validate_state: internal, set when transaction adds jumps
12121213
*/
12131214
struct nft_table {
12141215
struct list_head list;
@@ -1227,6 +1228,7 @@ struct nft_table {
12271228
char *name;
12281229
u16 udlen;
12291230
u8 *udata;
1231+
u8 validate_state;
12301232
};
12311233

12321234
static inline bool nft_table_has_owner(const struct nft_table *table)
@@ -1698,7 +1700,6 @@ struct nftables_pernet {
16981700
struct mutex commit_mutex;
16991701
u64 table_handle;
17001702
unsigned int base_seq;
1701-
u8 validate_state;
17021703
};
17031704

17041705
extern unsigned int nf_tables_net_id;

net/netfilter/nf_tables_api.c

Lines changed: 18 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -102,11 +102,9 @@ static const u8 nft2audit_op[NFT_MSG_MAX] = { // enum nf_tables_msg_types
102102
[NFT_MSG_DELFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_UNREGISTER,
103103
};
104104

105-
static void nft_validate_state_update(struct net *net, u8 new_validate_state)
105+
static void nft_validate_state_update(struct nft_table *table, u8 new_validate_state)
106106
{
107-
struct nftables_pernet *nft_net = nft_pernet(net);
108-
109-
switch (nft_net->validate_state) {
107+
switch (table->validate_state) {
110108
case NFT_VALIDATE_SKIP:
111109
WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO);
112110
break;
@@ -117,7 +115,7 @@ static void nft_validate_state_update(struct net *net, u8 new_validate_state)
117115
return;
118116
}
119117

120-
nft_net->validate_state = new_validate_state;
118+
table->validate_state = new_validate_state;
121119
}
122120
static void nf_tables_trans_destroy_work(struct work_struct *w);
123121
static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work);
@@ -1224,6 +1222,7 @@ static int nf_tables_newtable(struct sk_buff *skb, const struct nfnl_info *info,
12241222
if (table == NULL)
12251223
goto err_kzalloc;
12261224

1225+
table->validate_state = NFT_VALIDATE_SKIP;
12271226
table->name = nla_strdup(attr, GFP_KERNEL_ACCOUNT);
12281227
if (table->name == NULL)
12291228
goto err_strdup;
@@ -3660,7 +3659,7 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info,
36603659
}
36613660

36623661
if (expr_info[i].ops->validate)
3663-
nft_validate_state_update(net, NFT_VALIDATE_NEED);
3662+
nft_validate_state_update(table, NFT_VALIDATE_NEED);
36643663

36653664
expr_info[i].ops = NULL;
36663665
expr = nft_expr_next(expr);
@@ -3710,7 +3709,7 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info,
37103709
if (flow)
37113710
nft_trans_flow_rule(trans) = flow;
37123711

3713-
if (nft_net->validate_state == NFT_VALIDATE_DO)
3712+
if (table->validate_state == NFT_VALIDATE_DO)
37143713
return nft_table_validate(net, table);
37153714

37163715
return 0;
@@ -6312,7 +6311,7 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
63126311
if (desc.type == NFT_DATA_VERDICT &&
63136312
(elem.data.val.verdict.code == NFT_GOTO ||
63146313
elem.data.val.verdict.code == NFT_JUMP))
6315-
nft_validate_state_update(ctx->net,
6314+
nft_validate_state_update(ctx->table,
63166315
NFT_VALIDATE_NEED);
63176316
}
63186317

@@ -6437,7 +6436,6 @@ static int nf_tables_newsetelem(struct sk_buff *skb,
64376436
const struct nfnl_info *info,
64386437
const struct nlattr * const nla[])
64396438
{
6440-
struct nftables_pernet *nft_net = nft_pernet(info->net);
64416439
struct netlink_ext_ack *extack = info->extack;
64426440
u8 genmask = nft_genmask_next(info->net);
64436441
u8 family = info->nfmsg->nfgen_family;
@@ -6476,7 +6474,7 @@ static int nf_tables_newsetelem(struct sk_buff *skb,
64766474
}
64776475
}
64786476

6479-
if (nft_net->validate_state == NFT_VALIDATE_DO)
6477+
if (table->validate_state == NFT_VALIDATE_DO)
64806478
return nft_table_validate(net, table);
64816479

64826480
return 0;
@@ -8628,19 +8626,20 @@ static int nf_tables_validate(struct net *net)
86288626
struct nftables_pernet *nft_net = nft_pernet(net);
86298627
struct nft_table *table;
86308628

8631-
switch (nft_net->validate_state) {
8632-
case NFT_VALIDATE_SKIP:
8633-
break;
8634-
case NFT_VALIDATE_NEED:
8635-
nft_validate_state_update(net, NFT_VALIDATE_DO);
8636-
fallthrough;
8637-
case NFT_VALIDATE_DO:
8638-
list_for_each_entry(table, &nft_net->tables, list) {
8629+
list_for_each_entry(table, &nft_net->tables, list) {
8630+
switch (table->validate_state) {
8631+
case NFT_VALIDATE_SKIP:
8632+
continue;
8633+
case NFT_VALIDATE_NEED:
8634+
nft_validate_state_update(table, NFT_VALIDATE_DO);
8635+
fallthrough;
8636+
case NFT_VALIDATE_DO:
86398637
if (nft_table_validate(net, table) < 0)
86408638
return -EAGAIN;
8639+
8640+
nft_validate_state_update(table, NFT_VALIDATE_SKIP);
86418641
}
86428642

8643-
nft_validate_state_update(net, NFT_VALIDATE_SKIP);
86448643
break;
86458644
}
86468645

@@ -10355,7 +10354,6 @@ static int __net_init nf_tables_init_net(struct net *net)
1035510354
INIT_LIST_HEAD(&nft_net->notify_list);
1035610355
mutex_init(&nft_net->commit_mutex);
1035710356
nft_net->base_seq = 1;
10358-
nft_net->validate_state = NFT_VALIDATE_SKIP;
1035910357

1036010358
return 0;
1036110359
}

0 commit comments

Comments
 (0)