Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp3425960pxf; Mon, 29 Mar 2021 01:44:28 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwLPHq2wMQNcM1su5ZYsCBXlM6ph8o1n0c+QhH2Kf3hpHoZS+mypUid+5pCkt42Esss/Llf X-Received: by 2002:a17:906:a0d4:: with SMTP id bh20mr27287610ejb.348.1617007468739; Mon, 29 Mar 2021 01:44:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1617007468; cv=none; d=google.com; s=arc-20160816; b=ya0fOq7LxjVPQTaBZFv8nu6vL5V6Wvw2R4UHOcgtP2jmlPRmmfi/RN2sICSS4r9XuF rsNgrgVtVH6FI+gX4xJ2wN5raOocCxOnxevJX3QfWfubtAz2vQ8R4t6ttzh956Yc7M9E Xy26k8Lm27PkpDum5yc78kHDBKCySj8+oDdwM3V7d4TlkiK9HXnP+vm8KXr8Hnv0Woh6 GZk+RmX+q8uaJDDEVNEzZCfphhgS8HiV4iBgPFv8JJq2TWrWqq1UBAoakOq+j5AlmiIr fv6XM9hzT88NW5yt+21aZcjk8v7HIh/eKJKPgdw/pW2jD71WgOL/Jt1SbqOXVryVe4og mZMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Rh0RlQdhugOiojvvzPvVll4ABHOQcE5xsm3i7rXWMW0=; b=vIlLigwcaeCB+6S+IrOFGh5pKEey6lVWfhn/LdorenGeyi9GfkWl2J7VInmwWDk0Lz V+bRk6Jy19GdOZHnJvFsC5GRsQTYddIg5vCi5TMUY6Gaf7GI5bcUTNlD3S1StD4S4hlX 79/3eFBOlgOVLJk2aihfx4RsARh3LmqS72NRHFHswV9oXhtQ6m48WiGz75ySvEmX2uJ8 5HQzYQhSPhrTZ2TlBCWyQzLnq+OAg05oJc3/9Fn0mH98R4HtTuu7OEllQg1WQ8Oew1ND AKDV1dDlRdggfQPiKGNSb8QkVw0BJsuDHm5UmYdWkSwmCNU9cO8hCOI7em3+da5PR1AU mrjw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=KxzRvUP9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id z22si11798990edc.427.2021.03.29.01.44.06; Mon, 29 Mar 2021 01:44:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=KxzRvUP9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235379AbhC2Imp (ORCPT + 99 others); Mon, 29 Mar 2021 04:42:45 -0400 Received: from mail.kernel.org ([198.145.29.99]:42680 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232805AbhC2IYa (ORCPT ); Mon, 29 Mar 2021 04:24:30 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 40E5761554; Mon, 29 Mar 2021 08:24:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1617006268; bh=fscim5rqV5KT8QAGKZOcvA8IucXtpvJgBoTeLkI4qhc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=KxzRvUP98l/n5+6eh14z8HbEeeSzUyxfvNKwPvvIPPtAmvYJUdqqllkqTjtIVnn9y WBcyqOCmpNt3IG1GYvowD1tPE9hNxLLjfNuB4R3rzhW+YTvIlFcTaqZtAU9zpJrETA cWHJc7gahzFr/NLRImQv07MCdO+w6pvGM+3m5sd4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Pablo Neira Ayuso , Sasha Levin Subject: [PATCH 5.10 144/221] netfilter: nftables: allow to update flowtable flags Date: Mon, 29 Mar 2021 09:57:55 +0200 Message-Id: <20210329075633.974871349@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210329075629.172032742@linuxfoundation.org> References: <20210329075629.172032742@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Pablo Neira Ayuso [ Upstream commit 7b35582cd04ace2fd1807c1b624934e465cc939d ] Honor flowtable flags from the control update path. Disallow disabling to toggle hardware offload support though. Fixes: 8bb69f3b2918 ("netfilter: nf_tables: add flowtable offload control plane") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin --- include/net/netfilter/nf_tables.h | 3 +++ net/netfilter/nf_tables_api.c | 15 +++++++++++++++ 2 files changed, 18 insertions(+) diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h index c1c0a4ff92ae..ed4a9d098164 100644 --- a/include/net/netfilter/nf_tables.h +++ b/include/net/netfilter/nf_tables.h @@ -1508,6 +1508,7 @@ struct nft_trans_flowtable { struct nft_flowtable *flowtable; bool update; struct list_head hook_list; + u32 flags; }; #define nft_trans_flowtable(trans) \ @@ -1516,6 +1517,8 @@ struct nft_trans_flowtable { (((struct nft_trans_flowtable *)trans->data)->update) #define nft_trans_flowtable_hooks(trans) \ (((struct nft_trans_flowtable *)trans->data)->hook_list) +#define nft_trans_flowtable_flags(trans) \ + (((struct nft_trans_flowtable *)trans->data)->flags) int __init nft_chain_filter_init(void); void nft_chain_filter_fini(void); diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 7cdbe8733540..978a968d7aed 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -6632,6 +6632,7 @@ static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh, struct nft_hook *hook, *next; struct nft_trans *trans; bool unregister = false; + u32 flags; int err; err = nft_flowtable_parse_hook(ctx, nla[NFTA_FLOWTABLE_HOOK], @@ -6646,6 +6647,17 @@ static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh, } } + if (nla[NFTA_FLOWTABLE_FLAGS]) { + flags = ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS])); + if (flags & ~NFT_FLOWTABLE_MASK) + return -EOPNOTSUPP; + if ((flowtable->data.flags & NFT_FLOWTABLE_HW_OFFLOAD) ^ + (flags & NFT_FLOWTABLE_HW_OFFLOAD)) + return -EOPNOTSUPP; + } else { + flags = flowtable->data.flags; + } + err = nft_register_flowtable_net_hooks(ctx->net, ctx->table, &flowtable_hook.list, flowtable); if (err < 0) @@ -6659,6 +6671,7 @@ static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh, goto err_flowtable_update_hook; } + nft_trans_flowtable_flags(trans) = flags; nft_trans_flowtable(trans) = flowtable; nft_trans_flowtable_update(trans) = true; INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans)); @@ -7968,6 +7981,8 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb) break; case NFT_MSG_NEWFLOWTABLE: if (nft_trans_flowtable_update(trans)) { + nft_trans_flowtable(trans)->data.flags = + nft_trans_flowtable_flags(trans); nf_tables_flowtable_notify(&trans->ctx, nft_trans_flowtable(trans), &nft_trans_flowtable_hooks(trans), -- 2.30.1