Revert "netfilter: nf_tables: Add notifications for hook changes"

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

This reverts commit 465b9ee0ee7bc268d7f261356afd6c4262e48d82.

Such notifications fit better into core or nfnetlink_hook code,
following the NFNL_MSG_HOOK_GET message format.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

authored by

Phil Sutter and committed by

Pablo Neira Ayuso 8 months ago 36a686c0 6ac86ac7

-79

6 changed files

expand all

include

net

netfilter

nf_tables.h

uapi

linux

netfilter

nf_tables.h

nfnetlink.h

net

netfilter

nf_tables_api.c

nfnetlink.c

nft_chain_filter.c

-5

include/net/netfilter/nf_tables.h

··· 1142 1142 int nf_tables_bind_chain(const struct nft_ctx *ctx, struct nft_chain *chain); 1143 1143 void nf_tables_unbind_chain(const struct nft_ctx *ctx, struct nft_chain *chain); 1144 1144 1145 - struct nft_hook; 1146 - void nf_tables_chain_device_notify(const struct nft_chain *chain, 1147 - const struct nft_hook *hook, 1148 - const struct net_device *dev, int event); 1149 - 1150 1145 enum nft_chain_types { 1151 1146 NFT_CHAIN_T_DEFAULT = 0, 1152 1147 NFT_CHAIN_T_ROUTE,

-10

include/uapi/linux/netfilter/nf_tables.h

··· 142 142 NFT_MSG_DESTROYOBJ, 143 143 NFT_MSG_DESTROYFLOWTABLE, 144 144 NFT_MSG_GETSETELEM_RESET, 145 - NFT_MSG_NEWDEV, 146 - NFT_MSG_DELDEV, 147 145 NFT_MSG_MAX, 148 146 }; 149 147 ··· 1784 1786 * enum nft_device_attributes - nf_tables device netlink attributes 1785 1787 * 1786 1788 * @NFTA_DEVICE_NAME: name of this device (NLA_STRING) 1787 - * @NFTA_DEVICE_TABLE: table containing the flowtable or chain hooking into the device (NLA_STRING) 1788 - * @NFTA_DEVICE_FLOWTABLE: flowtable hooking into the device (NLA_STRING) 1789 - * @NFTA_DEVICE_CHAIN: chain hooking into the device (NLA_STRING) 1790 - * @NFTA_DEVICE_SPEC: hook spec matching the device (NLA_STRING) 1791 1789 */ 1792 1790 enum nft_devices_attributes { 1793 1791 NFTA_DEVICE_UNSPEC, 1794 1792 NFTA_DEVICE_NAME, 1795 - NFTA_DEVICE_TABLE, 1796 - NFTA_DEVICE_FLOWTABLE, 1797 - NFTA_DEVICE_CHAIN, 1798 - NFTA_DEVICE_SPEC, 1799 1793 __NFTA_DEVICE_MAX 1800 1794 }; 1801 1795 #define NFTA_DEVICE_MAX (__NFTA_DEVICE_MAX - 1)

-2

include/uapi/linux/netfilter/nfnetlink.h

··· 25 25 #define NFNLGRP_ACCT_QUOTA NFNLGRP_ACCT_QUOTA 26 26 NFNLGRP_NFTRACE, 27 27 #define NFNLGRP_NFTRACE NFNLGRP_NFTRACE 28 - NFNLGRP_NFT_DEV, 29 - #define NFNLGRP_NFT_DEV NFNLGRP_NFT_DEV 30 28 __NFNLGRP_MAX, 31 29 }; 32 30 #define NFNLGRP_MAX (__NFNLGRP_MAX - 1)

-59

net/netfilter/nf_tables_api.c

··· 9686 9686 } 9687 9687 EXPORT_SYMBOL_GPL(nft_hook_find_ops_rcu); 9688 9688 9689 - static void 9690 - nf_tables_device_notify(const struct nft_table *table, int attr, 9691 - const char *name, const struct nft_hook *hook, 9692 - const struct net_device *dev, int event) 9693 - { 9694 - struct net *net = dev_net(dev); 9695 - struct nlmsghdr *nlh; 9696 - struct sk_buff *skb; 9697 - u16 flags = 0; 9698 - 9699 - if (!nfnetlink_has_listeners(net, NFNLGRP_NFT_DEV)) 9700 - return; 9701 - 9702 - skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); 9703 - if (!skb) 9704 - goto err; 9705 - 9706 - event = event == NETDEV_REGISTER ? NFT_MSG_NEWDEV : NFT_MSG_DELDEV; 9707 - event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 9708 - nlh = nfnl_msg_put(skb, 0, 0, event, flags, table->family, 9709 - NFNETLINK_V0, nft_base_seq(net)); 9710 - if (!nlh) 9711 - goto err; 9712 - 9713 - if (nla_put_string(skb, NFTA_DEVICE_TABLE, table->name) || 9714 - nla_put_string(skb, attr, name) || 9715 - nla_put(skb, NFTA_DEVICE_SPEC, hook->ifnamelen, hook->ifname) || 9716 - nla_put_string(skb, NFTA_DEVICE_NAME, dev->name)) 9717 - goto err; 9718 - 9719 - nlmsg_end(skb, nlh); 9720 - nfnetlink_send(skb, net, 0, NFNLGRP_NFT_DEV, 9721 - nlmsg_report(nlh), GFP_KERNEL); 9722 - return; 9723 - err: 9724 - if (skb) 9725 - kfree_skb(skb); 9726 - nfnetlink_set_err(net, 0, NFNLGRP_NFT_DEV, -ENOBUFS); 9727 - } 9728 - 9729 - void 9730 - nf_tables_chain_device_notify(const struct nft_chain *chain, 9731 - const struct nft_hook *hook, 9732 - const struct net_device *dev, int event) 9733 - { 9734 - nf_tables_device_notify(chain->table, NFTA_DEVICE_CHAIN, 9735 - chain->name, hook, dev, event); 9736 - } 9737 - 9738 - static void 9739 - nf_tables_flowtable_device_notify(const struct nft_flowtable *ft, 9740 - const struct nft_hook *hook, 9741 - const struct net_device *dev, int event) 9742 - { 9743 - nf_tables_device_notify(ft->table, NFTA_DEVICE_FLOWTABLE, 9744 - ft->name, hook, dev, event); 9745 - } 9746 - 9747 9689 static int nft_flowtable_event(unsigned long event, struct net_device *dev, 9748 9690 struct nft_flowtable *flowtable, bool changename) 9749 9691 { ··· 9733 9791 list_add_tail_rcu(&ops->list, &hook->ops_list); 9734 9792 break; 9735 9793 } 9736 - nf_tables_flowtable_device_notify(flowtable, hook, dev, event); 9737 9794 break; 9738 9795 } 9739 9796 return 0;

-1

net/netfilter/nfnetlink.c

··· 86 86 [NFNLGRP_NFTABLES] = NFNL_SUBSYS_NFTABLES, 87 87 [NFNLGRP_ACCT_QUOTA] = NFNL_SUBSYS_ACCT, 88 88 [NFNLGRP_NFTRACE] = NFNL_SUBSYS_NFTABLES, 89 - [NFNLGRP_NFT_DEV] = NFNL_SUBSYS_NFTABLES, 90 89 }; 91 90 92 91 static struct nfnl_net *nfnl_pernet(struct net *net)

-2

net/netfilter/nft_chain_filter.c

··· 363 363 list_add_tail_rcu(&ops->list, &hook->ops_list); 364 364 break; 365 365 } 366 - nf_tables_chain_device_notify(&basechain->chain, 367 - hook, dev, event); 368 366 break; 369 367 } 370 368 return 0;