projects / GitHub / exynos8895 / android_kernel_samsung_universal8895.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: f25ad2e)
netfilter: nf_tables: mark stateful expressions
authorPatrick McHardy <kaber@trash.net>
Sat, 11 Apr 2015 09:46:40 +0000 (10:46 +0100)
committerPablo Neira Ayuso <pablo@netfilter.org>
Mon, 13 Apr 2015 18:12:31 +0000 (20:12 +0200)
Add a flag to mark stateful expressions.

This is used for dynamic expression instanstiation to limit the usable
expressions. Strictly speaking only the dynset expression can not be
used in order to avoid recursion, but since dynamically instantiating
non-stateful expressions will simply create an identical copy, which
behaves no differently than the original, this limits to expressions
where it actually makes sense to dynamically instantiate them.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
include/net/netfilter/nf_tables.h patch | blob | blame | history
net/netfilter/nft_counter.c patch | blob | blame | history
net/netfilter/nft_limit.c patch | blob | blame | history

diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index d45a871b3da686d9bd274da559c495ae553ee089..e6bcf55dcf2008b83a8a40896fcce2e011653e1b 100644 (file)
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -583,6 +583,7 @@ static inline void nft_set_gc_batch_add(struct nft_set_gc_batch *gcb,
  *     @policy: netlink attribute policy
  *     @maxattr: highest netlink attribute number
  *     @family: address family for AF-specific types
+ *     @flags: expression type flags
  */
 struct nft_expr_type {
        const struct nft_expr_ops       *(*select_ops)(const struct nft_ctx *,
@@ -594,8 +595,11 @@ struct nft_expr_type {
        const struct nla_policy         *policy;
        unsigned int                    maxattr;
        u8                              family;
+       u8                              flags;
 };
 
+#define NFT_EXPR_STATEFUL              0x1
+
 /**
  *     struct nft_expr_ops - nf_tables expression operations
  *
diff --git a/net/netfilter/nft_counter.c b/net/netfilter/nft_counter.c
index 0f6367e3e540cb4cb7ce3a81d5f8048e84418040..17591239229f75564b944dc7db61e1dae6a2f1f1 100644 (file)
--- a/net/netfilter/nft_counter.c
+++ b/net/netfilter/nft_counter.c
@@ -92,6 +92,7 @@ static struct nft_expr_type nft_counter_type __read_mostly = {
        .ops            = &nft_counter_ops,
        .policy         = nft_counter_policy,
        .maxattr        = NFTA_COUNTER_MAX,
+       .flags          = NFT_EXPR_STATEFUL,
        .owner          = THIS_MODULE,
 };
 
diff --git a/net/netfilter/nft_limit.c b/net/netfilter/nft_limit.c
index c8620456afd8364d188ba8e7b6a59d34aef92e16..435c1ccd6c0e6a74266b2054a62f603d038ecb00 100644 (file)
--- a/net/netfilter/nft_limit.c
+++ b/net/netfilter/nft_limit.c
@@ -98,6 +98,7 @@ static struct nft_expr_type nft_limit_type __read_mostly = {
        .ops            = &nft_limit_ops,
        .policy         = nft_limit_policy,
        .maxattr        = NFTA_LIMIT_MAX,
+       .flags          = NFT_EXPR_STATEFUL,
        .owner          = THIS_MODULE,
 };