netfilter: nf_tables: use net_generic infra for transaction data (11352851) · Commits · e / devices / android_kernel_fairphone_FP5

include/net/netfilter/nf_tables.h

+10 −0

Original line number	Diff line number	Diff line
		@@ -1472,4 +1472,14 @@ void nf_tables_trans_destroy_flush_work(void);
		int nf_msecs_to_jiffies64(const struct nlattr nla, u64 result);
		__be64 nf_jiffies64_to_msecs(u64 input);

		struct nftables_pernet {
		struct list_head tables;
		struct list_head commit_list;
		struct list_head module_list;
		struct list_head notify_list;
		struct mutex commit_mutex;
		unsigned int base_seq;
		u8 validate_state;
		};

		#endif /* _NET_NF_TABLES_H */

include/net/netns/nftables.h

+0 −6

Original line number	Diff line number	Diff line
		@@ -5,13 +5,7 @@
		#include <linux/list.h>

		struct netns_nftables {
		struct list_head tables;
		struct list_head commit_list;
		struct list_head module_list;
		struct mutex commit_mutex;
		unsigned int base_seq;
		u8 gencursor;
		u8 validate_state;
		};

		#endif

net/netfilter/nf_tables_api.c

+204 −126

File changed.

Preview size limit exceeded, changes collapsed.

net/netfilter/nf_tables_offload.c

+18 −11

Original line number	Diff line number	Diff line
		@@ -7,6 +7,8 @@
		#include <net/netfilter/nf_tables_offload.h>
		#include <net/pkt_cls.h>

		extern unsigned int nf_tables_net_id;

		static struct nft_flow_rule *nft_flow_rule_alloc(int num_actions)
		{
		struct nft_flow_rule *flow;
		@@ -345,11 +347,12 @@ static int nft_flow_offload_chain(struct nft_chain *chain,

		int nft_flow_rule_offload_commit(struct net *net)
		{
		struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id);
		struct nft_trans *trans;
		int err = 0;
		u8 policy;

		list_for_each_entry(trans, &net->nft.commit_list, list) {
		list_for_each_entry(trans, &nft_net->commit_list, list) {
		if (trans->ctx.family != NFPROTO_NETDEV)
		continue;

		@@ -400,7 +403,7 @@ int nft_flow_rule_offload_commit(struct net *net)
		break;
		}

		list_for_each_entry(trans, &net->nft.commit_list, list) {
		list_for_each_entry(trans, &nft_net->commit_list, list) {
		if (trans->ctx.family != NFPROTO_NETDEV)
		continue;

		@@ -419,14 +422,14 @@ int nft_flow_rule_offload_commit(struct net *net)
		return err;
		}

		static struct nft_chain __nft_offload_get_chain(struct net_device dev)
		static struct nft_chain __nft_offload_get_chain(const struct nftables_pernet nft_net,
		struct net_device *dev)
		{
		struct nft_base_chain *basechain;
		struct net *net = dev_net(dev);
		const struct nft_table *table;
		struct nft_chain *chain;

		list_for_each_entry(table, &net->nft.tables, list) {
		list_for_each_entry(table, &nft_net->tables, list) {
		if (table->family != NFPROTO_NETDEV)
		continue;

		@@ -450,18 +453,20 @@ static void nft_indr_block_cb(struct net_device *dev,
		flow_indr_block_bind_cb_t cb, void cb_priv,
		enum flow_block_command cmd)
		{
		struct nftables_pernet *nft_net;
		struct net *net = dev_net(dev);
		struct nft_chain *chain;

		mutex_lock(&net->nft.commit_mutex);
		chain = __nft_offload_get_chain(dev);
		nft_net = net_generic(net, nf_tables_net_id);
		mutex_lock(&nft_net->commit_mutex);
		chain = __nft_offload_get_chain(nft_net, dev);
		if (chain && chain->flags & NFT_CHAIN_HW_OFFLOAD) {
		struct nft_base_chain *basechain;

		basechain = nft_base_chain(chain);
		nft_indr_block_ing_cmd(dev, basechain, cb, cb_priv, cmd);
		}
		mutex_unlock(&net->nft.commit_mutex);
		mutex_unlock(&nft_net->commit_mutex);
		}

		static void nft_offload_chain_clean(struct nft_chain *chain)
		@@ -480,17 +485,19 @@ static int nft_offload_netdev_event(struct notifier_block *this,
		unsigned long event, void *ptr)
		{
		struct net_device *dev = netdev_notifier_info_to_dev(ptr);
		struct nftables_pernet *nft_net;
		struct net *net = dev_net(dev);
		struct nft_chain *chain;

		if (event != NETDEV_UNREGISTER)
		return NOTIFY_DONE;

		mutex_lock(&net->nft.commit_mutex);
		chain = __nft_offload_get_chain(dev);
		nft_net = net_generic(net, nf_tables_net_id);
		mutex_lock(&nft_net->commit_mutex);
		chain = __nft_offload_get_chain(nft_net, dev);
		if (chain)
		nft_offload_chain_clean(chain);
		mutex_unlock(&net->nft.commit_mutex);
		mutex_unlock(&nft_net->commit_mutex);

		return NOTIFY_DONE;
		}

net/netfilter/nft_chain_filter.c

+8 −3

Original line number	Diff line number	Diff line
		@@ -2,6 +2,7 @@
		#include <linux/kernel.h>
		#include <linux/netdevice.h>
		#include <net/net_namespace.h>
		#include <net/netns/generic.h>
		#include <net/netfilter/nf_tables.h>
		#include <linux/netfilter_ipv4.h>
		#include <linux/netfilter_ipv6.h>
		@@ -10,6 +11,8 @@
		#include <net/netfilter/nf_tables_ipv4.h>
		#include <net/netfilter/nf_tables_ipv6.h>

		extern unsigned int nf_tables_net_id;

		#ifdef CONFIG_NF_TABLES_IPV4
		static unsigned int nft_do_chain_ipv4(void *priv,
		struct sk_buff *skb,
		@@ -315,6 +318,7 @@ static int nf_tables_netdev_event(struct notifier_block *this,
		unsigned long event, void *ptr)
		{
		struct net_device *dev = netdev_notifier_info_to_dev(ptr);
		struct nftables_pernet *nft_net;
		struct nft_table *table;
		struct nft_chain chain, nr;
		struct nft_ctx ctx = {
		@@ -325,8 +329,9 @@ static int nf_tables_netdev_event(struct notifier_block *this,
		event != NETDEV_CHANGENAME)
		return NOTIFY_DONE;

		mutex_lock(&ctx.net->nft.commit_mutex);
		list_for_each_entry(table, &ctx.net->nft.tables, list) {
		nft_net = net_generic(ctx.net, nf_tables_net_id);
		mutex_lock(&nft_net->commit_mutex);
		list_for_each_entry(table, &nft_net->tables, list) {
		if (table->family != NFPROTO_NETDEV)
		continue;

		@@ -340,7 +345,7 @@ static int nf_tables_netdev_event(struct notifier_block *this,
		nft_netdev_event(event, dev, &ctx);
		}
		}
		mutex_unlock(&ctx.net->nft.commit_mutex);
		mutex_unlock(&nft_net->commit_mutex);

		return NOTIFY_DONE;
		}