[Devel] [PATCH VZ7] netfilter: nft_dynset: do not reject set updates with NFT_SET_EVAL

Pavel Tikhomirov ptikhomirov at virtuozzo.com
Tue May 28 11:12:42 MSK 2024


From: Pablo Neira Ayuso <pablo at netfilter.org>

NFT_SET_EVAL is signalling the kernel that this sets can be updated from
the evaluation path, even if there are no expressions attached to the
element. Otherwise, set updates with no expressions fail. Update
description to describe the right semantics.

Fixes: 22fe54d5fefc ("netfilter: nf_tables: add support for dynamic set updates")
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

Note: This fixes the problem of adding dynamic set modification rules:

nft add table inet test-table
nft add set inet test-table test-set { typeof ip saddr \; flags timeout \; size 10000 \; }
nft add chain inet test-table test-chain { type filter hook input priority filter \; policy accept \; }
nft add rule inet test-table test-chain add @test-set { ip saddr timeout 2m }

Without this patch the last command fails.

Pinging the above setup will automaticly create set elements, e.g.:

nft list ruleset
table inet test-table {
	set test-set {
		typeof ip saddr
		size 10000
		flags timeout
		elements = { 172.29.1.154 expires 1m38s945ms,
			     172.29.158.29 expires 1m45s348ms,
			     192.168.16.220 expires 1m56s984ms }
	}

	chain test-chain {
		type filter hook input priority filter; policy accept;
		add @test-set { ip saddr timeout 2m }
	}
}

https://virtuozzo.atlassian.net/browse/PSBM-156601
(cherry picked from commit 215a31f19dedd4e92a67cf5a9717ee898d012b3a)
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
 include/uapi/linux/netfilter/nf_tables.h | 2 +-
 net/netfilter/nft_dynset.c               | 3 +--
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index 98ad9c3d98f4..4ba705db4ae5 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -243,7 +243,7 @@ enum nft_rule_compat_attributes {
  * @NFT_SET_INTERVAL: set contains intervals
  * @NFT_SET_MAP: set is used as a dictionary
  * @NFT_SET_TIMEOUT: set uses timeouts
- * @NFT_SET_EVAL: set contains expressions for evaluation
+ * @NFT_SET_EVAL: set can be updated from the evaluation path
  */
 enum nft_set_flags {
 	NFT_SET_ANONYMOUS		= 0x1,
diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c
index abf5b1cfdb3a..a32b39ad5d8d 100644
--- a/net/netfilter/nft_dynset.c
+++ b/net/netfilter/nft_dynset.c
@@ -178,8 +178,7 @@ static int nft_dynset_init(const struct nft_ctx *ctx,
 		priv->expr = nft_expr_init(ctx, tb[NFTA_DYNSET_EXPR]);
 		if (IS_ERR(priv->expr))
 			return PTR_ERR(priv->expr);
-	} else if (set->flags & NFT_SET_EVAL)
-		return -EINVAL;
+	}
 
 	nft_set_ext_prepare(&priv->tmpl);
 	nft_set_ext_add_length(&priv->tmpl, NFT_SET_EXT_KEY, set->klen);
-- 
2.44.0



More information about the Devel mailing list