diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2017-09-03 23:54:27 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2017-09-04 17:34:54 +0200 |
commit | 2c4a488a482d265df4505671f6051067524c4f76 (patch) | |
tree | fb042e3790e7c276161adde6a3b57e9fe5921112 /net | |
parent | 9efdb14f76f4d7591cd4d7a436ebd716b19703b6 (diff) |
netfilter: nf_tables: add nf_tables_updchain()
nf_tables_newchain() is too large, wrap the chain update path in a
function to make it more maintainable.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net')
-rw-r--r-- | net/netfilter/nf_tables_api.c | 170 |
1 files changed, 92 insertions, 78 deletions
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index b37c178897f3..a910544acf59 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -1335,6 +1335,97 @@ static void nft_chain_release_hook(struct nft_chain_hook *hook) dev_put(hook->dev); } +static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy, + bool create) +{ + const struct nlattr * const *nla = ctx->nla; + struct nft_table *table = ctx->table; + struct nft_chain *chain = ctx->chain; + struct nft_af_info *afi = ctx->afi; + struct nft_base_chain *basechain; + struct nft_stats *stats = NULL; + struct nft_chain_hook hook; + const struct nlattr *name; + struct nf_hook_ops *ops; + struct nft_trans *trans; + int err, i; + + if (nla[NFTA_CHAIN_HOOK]) { + if (!nft_is_base_chain(chain)) + return -EBUSY; + + err = nft_chain_parse_hook(ctx->net, nla, ctx->afi, &hook, + create); + if (err < 0) + return err; + + basechain = nft_base_chain(chain); + if (basechain->type != hook.type) { + nft_chain_release_hook(&hook); + return -EBUSY; + } + + for (i = 0; i < afi->nops; i++) { + ops = &basechain->ops[i]; + if (ops->hooknum != hook.num || + ops->priority != hook.priority || + ops->dev != hook.dev) { + nft_chain_release_hook(&hook); + return -EBUSY; + } + } + nft_chain_release_hook(&hook); + } + + if (nla[NFTA_CHAIN_HANDLE] && + nla[NFTA_CHAIN_NAME]) { + struct nft_chain *chain2; + + chain2 = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME], + genmask); + if (IS_ERR(chain2)) + return PTR_ERR(chain2); + } + + if (nla[NFTA_CHAIN_COUNTERS]) { + if (!nft_is_base_chain(chain)) + return -EOPNOTSUPP; + + stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]); + if (IS_ERR(stats)) + return PTR_ERR(stats); + } + + trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN, + sizeof(struct nft_trans_chain)); + if (trans == NULL) { + free_percpu(stats); + return -ENOMEM; + } + + nft_trans_chain_stats(trans) = stats; + nft_trans_chain_update(trans) = true; + + if (nla[NFTA_CHAIN_POLICY]) + nft_trans_chain_policy(trans) = policy; + else + nft_trans_chain_policy(trans) = -1; + + name = nla[NFTA_CHAIN_NAME]; + if (nla[NFTA_CHAIN_HANDLE] && name) { + nft_trans_chain_name(trans) = + nla_strdup(name, GFP_KERNEL); + if (!nft_trans_chain_name(trans)) { + kfree(trans); + free_percpu(stats); + return -ENOMEM; + } + } + list_add_tail(&trans->list, &ctx->net->nft.commit_list); + + return 0; +} + static int nf_tables_newchain(struct net *net, struct sock *nlsk, struct sk_buff *skb, const struct nlmsghdr *nlh, const struct nlattr * const nla[], @@ -1403,91 +1494,14 @@ static int nf_tables_newchain(struct net *net, struct sock *nlsk, } if (chain != NULL) { - struct nft_stats *stats = NULL; - struct nft_trans *trans; - if (nlh->nlmsg_flags & NLM_F_EXCL) return -EEXIST; if (nlh->nlmsg_flags & NLM_F_REPLACE) return -EOPNOTSUPP; - if (nla[NFTA_CHAIN_HOOK]) { - struct nft_base_chain *basechain; - struct nft_chain_hook hook; - struct nf_hook_ops *ops; - - if (!nft_is_base_chain(chain)) - return -EBUSY; - - err = nft_chain_parse_hook(net, nla, afi, &hook, - create); - if (err < 0) - return err; - - basechain = nft_base_chain(chain); - if (basechain->type != hook.type) { - nft_chain_release_hook(&hook); - return -EBUSY; - } - - for (i = 0; i < afi->nops; i++) { - ops = &basechain->ops[i]; - if (ops->hooknum != hook.num || - ops->priority != hook.priority || - ops->dev != hook.dev) { - nft_chain_release_hook(&hook); - return -EBUSY; - } - } - nft_chain_release_hook(&hook); - } - - if (nla[NFTA_CHAIN_HANDLE] && name) { - struct nft_chain *chain2; - - chain2 = nf_tables_chain_lookup(table, - nla[NFTA_CHAIN_NAME], - genmask); - if (IS_ERR(chain2)) - return PTR_ERR(chain2); - } - - if (nla[NFTA_CHAIN_COUNTERS]) { - if (!nft_is_base_chain(chain)) - return -EOPNOTSUPP; - - stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]); - if (IS_ERR(stats)) - return PTR_ERR(stats); - } - nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla); - trans = nft_trans_alloc(&ctx, NFT_MSG_NEWCHAIN, - sizeof(struct nft_trans_chain)); - if (trans == NULL) { - free_percpu(stats); - return -ENOMEM; - } - - nft_trans_chain_stats(trans) = stats; - nft_trans_chain_update(trans) = true; - if (nla[NFTA_CHAIN_POLICY]) - nft_trans_chain_policy(trans) = policy; - else - nft_trans_chain_policy(trans) = -1; - - if (nla[NFTA_CHAIN_HANDLE] && name) { - nft_trans_chain_name(trans) = - nla_strdup(name, GFP_KERNEL); - if (!nft_trans_chain_name(trans)) { - kfree(trans); - free_percpu(stats); - return -ENOMEM; - } - } - list_add_tail(&trans->list, &net->nft.commit_list); - return 0; + return nf_tables_updchain(&ctx, genmask, policy, create); } if (table->use == UINT_MAX) |