Skip to content

Commit 20a1452

Browse files
ummakynesummakynes
committed
netfilter: nf_tables: add nft_setelem_parse_key()
Add helper function to parse the set element key netlink attribute. v4: No changes v3: New patch [sbrivio: refactor error paths and labels; use NFT_DATA_VALUE_MAXLEN instead of sizeof(*key) in helper, value can be longer than that; rebase] Signed-off-by: Pablo Neira Ayuso <[email protected]>
1 parent 32efcc0 commit 20a1452

File tree

1 file changed

+45
-46
lines changed

1 file changed

+45
-46
lines changed

net/netfilter/nf_tables_api.c

Lines changed: 45 additions & 46 deletions
Original file line numberDiff line numberDiff line change
@@ -4524,11 +4524,28 @@ static int nft_setelem_parse_flags(const struct nft_set *set,
45244524
return 0;
45254525
}
45264526

4527+
static int nft_setelem_parse_key(struct nft_ctx *ctx, struct nft_set *set,
4528+
struct nft_data *key, struct nlattr *attr)
4529+
{
4530+
struct nft_data_desc desc;
4531+
int err;
4532+
4533+
err = nft_data_init(ctx, key, NFT_DATA_VALUE_MAXLEN, &desc, attr);
4534+
if (err < 0)
4535+
return err;
4536+
4537+
if (desc.type != NFT_DATA_VALUE || desc.len != set->klen) {
4538+
nft_data_release(key, desc.type);
4539+
return -EINVAL;
4540+
}
4541+
4542+
return 0;
4543+
}
4544+
45274545
static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
45284546
const struct nlattr *attr)
45294547
{
45304548
struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4531-
struct nft_data_desc desc;
45324549
struct nft_set_elem elem;
45334550
struct sk_buff *skb;
45344551
uint32_t flags = 0;
@@ -4547,17 +4564,11 @@ static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
45474564
if (err < 0)
45484565
return err;
45494566

4550-
err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
4551-
nla[NFTA_SET_ELEM_KEY]);
4567+
err = nft_setelem_parse_key(ctx, set, &elem.key.val,
4568+
nla[NFTA_SET_ELEM_KEY]);
45524569
if (err < 0)
45534570
return err;
45544571

4555-
err = -EINVAL;
4556-
if (desc.type != NFT_DATA_VALUE || desc.len != set->klen) {
4557-
nft_data_release(&elem.key.val, desc.type);
4558-
return err;
4559-
}
4560-
45614572
priv = set->ops->get(ctx->net, set, &elem, flags);
45624573
if (IS_ERR(priv))
45634574
return PTR_ERR(priv);
@@ -4756,13 +4767,13 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
47564767
{
47574768
struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
47584769
u8 genmask = nft_genmask_next(ctx->net);
4759-
struct nft_data_desc d1, d2;
47604770
struct nft_set_ext_tmpl tmpl;
47614771
struct nft_set_ext *ext, *ext2;
47624772
struct nft_set_elem elem;
47634773
struct nft_set_binding *binding;
47644774
struct nft_object *obj = NULL;
47654775
struct nft_userdata *udata;
4776+
struct nft_data_desc desc;
47664777
struct nft_data data;
47674778
enum nft_registers dreg;
47684779
struct nft_trans *trans;
@@ -4828,15 +4839,12 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
48284839
return err;
48294840
}
48304841

4831-
err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &d1,
4832-
nla[NFTA_SET_ELEM_KEY]);
4842+
err = nft_setelem_parse_key(ctx, set, &elem.key.val,
4843+
nla[NFTA_SET_ELEM_KEY]);
48334844
if (err < 0)
48344845
goto err1;
4835-
err = -EINVAL;
4836-
if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
4837-
goto err2;
48384846

4839-
nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, d1.len);
4847+
nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
48404848
if (timeout > 0) {
48414849
nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
48424850
if (timeout != set->timeout)
@@ -4859,13 +4867,13 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
48594867
}
48604868

48614869
if (nla[NFTA_SET_ELEM_DATA] != NULL) {
4862-
err = nft_data_init(ctx, &data, sizeof(data), &d2,
4870+
err = nft_data_init(ctx, &data, sizeof(data), &desc,
48634871
nla[NFTA_SET_ELEM_DATA]);
48644872
if (err < 0)
48654873
goto err2;
48664874

48674875
err = -EINVAL;
4868-
if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
4876+
if (set->dtype != NFT_DATA_VERDICT && desc.len != set->dlen)
48694877
goto err3;
48704878

48714879
dreg = nft_type_to_reg(set->dtype);
@@ -4882,18 +4890,18 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
48824890

48834891
err = nft_validate_register_store(&bind_ctx, dreg,
48844892
&data,
4885-
d2.type, d2.len);
4893+
desc.type, desc.len);
48864894
if (err < 0)
48874895
goto err3;
48884896

4889-
if (d2.type == NFT_DATA_VERDICT &&
4897+
if (desc.type == NFT_DATA_VERDICT &&
48904898
(data.verdict.code == NFT_GOTO ||
48914899
data.verdict.code == NFT_JUMP))
48924900
nft_validate_state_update(ctx->net,
48934901
NFT_VALIDATE_NEED);
48944902
}
48954903

4896-
nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, d2.len);
4904+
nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, desc.len);
48974905
}
48984906

48994907
/* The full maximum length of userdata can exceed the maximum
@@ -4976,9 +4984,9 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
49764984
kfree(elem.priv);
49774985
err3:
49784986
if (nla[NFTA_SET_ELEM_DATA] != NULL)
4979-
nft_data_release(&data, d2.type);
4987+
nft_data_release(&data, desc.type);
49804988
err2:
4981-
nft_data_release(&elem.key.val, d1.type);
4989+
nft_data_release(&elem.key.val, NFT_DATA_VALUE);
49824990
err1:
49834991
return err;
49844992
}
@@ -5074,7 +5082,6 @@ static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
50745082
{
50755083
struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
50765084
struct nft_set_ext_tmpl tmpl;
5077-
struct nft_data_desc desc;
50785085
struct nft_set_elem elem;
50795086
struct nft_set_ext *ext;
50805087
struct nft_trans *trans;
@@ -5085,11 +5092,10 @@ static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
50855092
err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
50865093
nft_set_elem_policy, NULL);
50875094
if (err < 0)
5088-
goto err1;
5095+
return err;
50895096

5090-
err = -EINVAL;
50915097
if (nla[NFTA_SET_ELEM_KEY] == NULL)
5092-
goto err1;
5098+
return -EINVAL;
50935099

50945100
nft_set_ext_prepare(&tmpl);
50955101

@@ -5099,37 +5105,31 @@ static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
50995105
if (flags != 0)
51005106
nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
51015107

5102-
err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
5103-
nla[NFTA_SET_ELEM_KEY]);
5108+
err = nft_setelem_parse_key(ctx, set, &elem.key.val,
5109+
nla[NFTA_SET_ELEM_KEY]);
51045110
if (err < 0)
5105-
goto err1;
5106-
5107-
err = -EINVAL;
5108-
if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
5109-
goto err2;
5111+
return err;
51105112

5111-
nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, desc.len);
5113+
nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
51125114

51135115
err = -ENOMEM;
51145116
elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, NULL, 0,
51155117
0, GFP_KERNEL);
51165118
if (elem.priv == NULL)
5117-
goto err2;
5119+
goto fail_elem;
51185120

51195121
ext = nft_set_elem_ext(set, elem.priv);
51205122
if (flags)
51215123
*nft_set_ext_flags(ext) = flags;
51225124

51235125
trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
5124-
if (trans == NULL) {
5125-
err = -ENOMEM;
5126-
goto err3;
5127-
}
5126+
if (trans == NULL)
5127+
goto fail_trans;
51285128

51295129
priv = set->ops->deactivate(ctx->net, set, &elem);
51305130
if (priv == NULL) {
51315131
err = -ENOENT;
5132-
goto err4;
5132+
goto fail_ops;
51335133
}
51345134
kfree(elem.priv);
51355135
elem.priv = priv;
@@ -5140,13 +5140,12 @@ static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
51405140
list_add_tail(&trans->list, &ctx->net->nft.commit_list);
51415141
return 0;
51425142

5143-
err4:
5143+
fail_ops:
51445144
kfree(trans);
5145-
err3:
5145+
fail_trans:
51465146
kfree(elem.priv);
5147-
err2:
5148-
nft_data_release(&elem.key.val, desc.type);
5149-
err1:
5147+
fail_elem:
5148+
nft_data_release(&elem.key.val, NFT_DATA_VALUE);
51505149
return err;
51515150
}
51525151

0 commit comments

Comments
 (0)