Skip to content

Commit 6e1f760

Browse files
ummakynesummakynes
committed
netfilter: nf_tables: allow to filter out rules by table and chain
If the table and/or chain attributes are set in a rule dump request, we filter out the rules based on this selection. Signed-off-by: Pablo Neira Ayuso <[email protected]>
1 parent cc37c1a commit 6e1f760

File tree

1 file changed

+38
-0
lines changed

1 file changed

+38
-0
lines changed

net/netfilter/nf_tables_api.c

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1857,10 +1857,16 @@ static int nf_tables_rule_notify(const struct nft_ctx *ctx,
18571857
return err;
18581858
}
18591859

1860+
struct nft_rule_dump_ctx {
1861+
char table[NFT_TABLE_MAXNAMELEN];
1862+
char chain[NFT_CHAIN_MAXNAMELEN];
1863+
};
1864+
18601865
static int nf_tables_dump_rules(struct sk_buff *skb,
18611866
struct netlink_callback *cb)
18621867
{
18631868
const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1869+
const struct nft_rule_dump_ctx *ctx = cb->data;
18641870
const struct nft_af_info *afi;
18651871
const struct nft_table *table;
18661872
const struct nft_chain *chain;
@@ -1877,7 +1883,15 @@ static int nf_tables_dump_rules(struct sk_buff *skb,
18771883
continue;
18781884

18791885
list_for_each_entry_rcu(table, &afi->tables, list) {
1886+
if (ctx && ctx->table[0] &&
1887+
strcmp(ctx->table, table->name) != 0)
1888+
continue;
1889+
18801890
list_for_each_entry_rcu(chain, &table->chains, list) {
1891+
if (ctx && ctx->chain[0] &&
1892+
strcmp(ctx->chain, chain->name) != 0)
1893+
continue;
1894+
18811895
list_for_each_entry_rcu(rule, &chain->rules, list) {
18821896
if (!nft_is_active(net, rule))
18831897
goto cont;
@@ -1907,6 +1921,12 @@ static int nf_tables_dump_rules(struct sk_buff *skb,
19071921
return skb->len;
19081922
}
19091923

1924+
static int nf_tables_dump_rules_done(struct netlink_callback *cb)
1925+
{
1926+
kfree(cb->data);
1927+
return 0;
1928+
}
1929+
19101930
static int nf_tables_getrule(struct net *net, struct sock *nlsk,
19111931
struct sk_buff *skb, const struct nlmsghdr *nlh,
19121932
const struct nlattr * const nla[])
@@ -1924,7 +1944,25 @@ static int nf_tables_getrule(struct net *net, struct sock *nlsk,
19241944
if (nlh->nlmsg_flags & NLM_F_DUMP) {
19251945
struct netlink_dump_control c = {
19261946
.dump = nf_tables_dump_rules,
1947+
.done = nf_tables_dump_rules_done,
19271948
};
1949+
1950+
if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
1951+
struct nft_rule_dump_ctx *ctx;
1952+
1953+
ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
1954+
if (!ctx)
1955+
return -ENOMEM;
1956+
1957+
if (nla[NFTA_RULE_TABLE])
1958+
nla_strlcpy(ctx->table, nla[NFTA_RULE_TABLE],
1959+
sizeof(ctx->table));
1960+
if (nla[NFTA_RULE_CHAIN])
1961+
nla_strlcpy(ctx->chain, nla[NFTA_RULE_CHAIN],
1962+
sizeof(ctx->chain));
1963+
c.data = ctx;
1964+
}
1965+
19281966
return netlink_dump_start(nlsk, skb, nlh, &c);
19291967
}
19301968

0 commit comments

Comments
 (0)