diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2019-10-16 14:30:05 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2019-10-23 13:01:34 +0200 |
| commit | d54725cd11a57c30f650260cfb0a92c268bdc3e0 (patch) | |
| tree | 50cd422f3306ee78c355c0f0e0a4d45a9168eddc /net/netfilter/nf_tables_offload.c | |
| parent | bbaef955af6efa6a9090b86430e452086d8fce02 (diff) | |
| download | linux-d54725cd11a57c30f650260cfb0a92c268bdc3e0.tar.gz | |
netfilter: nf_tables: support for multiple devices per netdev hook
This patch allows you to register one netdev basechain to multiple
devices. This adds a new NFTA_HOOK_DEVS netlink attribute to specify
the list of netdevices. Basechains store a list of hooks.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/netfilter/nf_tables_offload.c')
| -rw-r--r-- | net/netfilter/nf_tables_offload.c | 44 |
1 files changed, 31 insertions, 13 deletions
diff --git a/net/netfilter/nf_tables_offload.c b/net/netfilter/nf_tables_offload.c index e7f32a9dad6367..beeb74f2b47df9 100644 --- a/net/netfilter/nf_tables_offload.c +++ b/net/netfilter/nf_tables_offload.c @@ -317,38 +317,47 @@ static int nft_indr_block_offload_cmd(struct nft_base_chain *chain, #define FLOW_SETUP_BLOCK TC_SETUP_BLOCK static int nft_flow_block_chain(struct nft_base_chain *basechain, - struct net_device *dev, + const struct net_device *this_dev, enum flow_block_command cmd) { - if (dev->netdev_ops->ndo_setup_tc) - return nft_block_offload_cmd(basechain, dev, cmd); + struct net_device *dev; + struct nft_hook *hook; + int err; + + list_for_each_entry(hook, &basechain->hook_list, list) { + dev = hook->ops.dev; + if (this_dev && this_dev != dev) + continue; - return nft_indr_block_offload_cmd(basechain, dev, cmd); + if (dev->netdev_ops->ndo_setup_tc) + err = nft_block_offload_cmd(basechain, dev, cmd); + else + err = nft_indr_block_offload_cmd(basechain, dev, cmd); + + if (err < 0) + return err; + } + + return 0; } -static int nft_flow_offload_chain(struct nft_chain *chain, - u8 *ppolicy, +static int nft_flow_offload_chain(struct nft_chain *chain, u8 *ppolicy, enum flow_block_command cmd) { struct nft_base_chain *basechain; - struct net_device *dev; u8 policy; if (!nft_is_base_chain(chain)) return -EOPNOTSUPP; basechain = nft_base_chain(chain); - dev = basechain->ops.dev; - if (!dev) - return -EOPNOTSUPP; - policy = ppolicy ? *ppolicy : basechain->policy; /* Only default policy to accept is supported for now. */ if (cmd == FLOW_BLOCK_BIND && policy == NF_DROP) return -EOPNOTSUPP; - return nft_flow_block_chain(basechain, dev, cmd); + return nft_flow_block_chain(basechain, NULL, cmd); } int nft_flow_rule_offload_commit(struct net *net) @@ -414,6 +423,7 @@ static struct nft_chain *__nft_offload_get_chain(struct net_device *dev) { struct nft_base_chain *basechain; struct net *net = dev_net(dev); + struct nft_hook *hook, *found; const struct nft_table *table; struct nft_chain *chain; @@ -426,8 +436,16 @@ static struct nft_chain *__nft_offload_get_chain(struct net_device *dev) !(chain->flags & NFT_CHAIN_HW_OFFLOAD)) continue; + found = NULL; basechain = nft_base_chain(chain); - if (strncmp(basechain->dev_name, dev->name, IFNAMSIZ)) + list_for_each_entry(hook, &basechain->hook_list, list) { + if (hook->ops.dev != dev) + continue; + + found = hook; + break; + } + if (!found) continue; return chain; |