[Devel] [PATCH RHEL7 COMMIT] ms/netfilter: nft_dynset: do not reject set updates with NFT_SET_EVAL

Konstantin Khorenko khorenko at virtuozzo.com
Thu Jun 13 20:44:00 MSK 2024 

The commit is pushed to "branch-rh7-3.10.0-1160.114.2.vz7.222.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-1160.114.2.vz7.222.1
------>
commit 39b6e87823d762ea43bcebaf4ea0f69053fbe309
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Tue May 28 16:12:42 2024 +0800

    ms/netfilter: nft_dynset: do not reject set updates with NFT_SET_EVAL
    
    NFT_SET_EVAL is signalling the kernel that this sets can be updated from
    the evaluation path, even if there are no expressions attached to the
    element. Otherwise, set updates with no expressions fail. Update
    description to describe the right semantics.
    
    mFixes: 22fe54d5fefc ("netfilter: nf_tables: add support for dynamic set updates")
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
    
    Note: This fixes the problem of adding dynamic set modification rules:
    
    nft add table inet test-table
    nft add set inet test-table test-set { typeof ip saddr \; flags timeout \; size 10000 \; }
    nft add chain inet test-table test-chain { type filter hook input priority filter \; policy accept \; }
    nft add rule inet test-table test-chain add @test-set { ip saddr timeout 2m }
    
    Without this patch the last command fails.
    
    Pinging the above setup will automaticly create set elements, e.g.:
    
    nft list ruleset
    table inet test-table {
            set test-set {
                    typeof ip saddr
                    size 10000
                    flags timeout
                    elements = { 172.29.1.154 expires 1m38s945ms,
                                 172.29.158.29 expires 1m45s348ms,
                                 192.168.16.220 expires 1m56s984ms }
            }
    
            chain test-chain {
                    type filter hook input priority filter; policy accept;
                    add @test-set { ip saddr timeout 2m }
            }
    }
    
    https://virtuozzo.atlassian.net/browse/PSBM-156601
    (cherry picked from commit 215a31f19dedd4e92a67cf5a9717ee898d012b3a)
    Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
 include/uapi/linux/netfilter/nf_tables.h | 2 +-
 net/netfilter/nft_dynset.c               | 3 +--
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index 98ad9c3d98f4..4ba705db4ae5 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -243,7 +243,7 @@ enum nft_rule_compat_attributes {
  * @NFT_SET_INTERVAL: set contains intervals
  * @NFT_SET_MAP: set is used as a dictionary
  * @NFT_SET_TIMEOUT: set uses timeouts
- * @NFT_SET_EVAL: set contains expressions for evaluation
+ * @NFT_SET_EVAL: set can be updated from the evaluation path
  */
 enum nft_set_flags {
 	NFT_SET_ANONYMOUS		= 0x1,
diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c
index abf5b1cfdb3a..a32b39ad5d8d 100644
--- a/net/netfilter/nft_dynset.c
+++ b/net/netfilter/nft_dynset.c
@@ -178,8 +178,7 @@ static int nft_dynset_init(const struct nft_ctx *ctx,
 		priv->expr = nft_expr_init(ctx, tb[NFTA_DYNSET_EXPR]);
 		if (IS_ERR(priv->expr))
 			return PTR_ERR(priv->expr);
-	} else if (set->flags & NFT_SET_EVAL)
-		return -EINVAL;
+	}
 
 	nft_set_ext_prepare(&priv->tmpl);
 	nft_set_ext_add_length(&priv->tmpl, NFT_SET_EXT_KEY, set->klen);

More information about the Devel mailing list