Commit e240cd0d authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso

netfilter: nf_tables: place all set backends in one single module

This patch disallows rbtree with single elements, which is causing
problems with the recent timeout support. Before this patch, you
could opt out individual set representations per module, which is
just adding extra complexity.

Fixes: 8d8540c4("netfilter: nft_set_rbtree: add timeout support")
Reported-by: default avatarTaehee Yoo <ap420073@gmail.com>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 5711b4e8
...@@ -65,4 +65,10 @@ extern const struct nft_expr_ops nft_payload_fast_ops; ...@@ -65,4 +65,10 @@ extern const struct nft_expr_ops nft_payload_fast_ops;
extern struct static_key_false nft_counters_enabled; extern struct static_key_false nft_counters_enabled;
extern struct static_key_false nft_trace_enabled; extern struct static_key_false nft_trace_enabled;
extern struct nft_set_type nft_set_rhash_type;
extern struct nft_set_type nft_set_hash_type;
extern struct nft_set_type nft_set_hash_fast_type;
extern struct nft_set_type nft_set_rbtree_type;
extern struct nft_set_type nft_set_bitmap_type;
#endif /* _NET_NF_TABLES_CORE_H */ #endif /* _NET_NF_TABLES_CORE_H */
...@@ -460,6 +460,13 @@ config NF_TABLES ...@@ -460,6 +460,13 @@ config NF_TABLES
if NF_TABLES if NF_TABLES
config NF_TABLES_SET
tristate "Netfilter nf_tables set infrastructure"
help
This option enables the nf_tables set infrastructure that allows to
look up for elements in a set and to build one-way mappings between
matchings and actions.
config NF_TABLES_INET config NF_TABLES_INET
depends on IPV6 depends on IPV6
select NF_TABLES_IPV4 select NF_TABLES_IPV4
...@@ -493,24 +500,6 @@ config NFT_FLOW_OFFLOAD ...@@ -493,24 +500,6 @@ config NFT_FLOW_OFFLOAD
This option adds the "flow_offload" expression that you can use to This option adds the "flow_offload" expression that you can use to
choose what flows are placed into the hardware. choose what flows are placed into the hardware.
config NFT_SET_RBTREE
tristate "Netfilter nf_tables rbtree set module"
help
This option adds the "rbtree" set type (Red Black tree) that is used
to build interval-based sets.
config NFT_SET_HASH
tristate "Netfilter nf_tables hash set module"
help
This option adds the "hash" set type that is used to build one-way
mappings between matchings and actions.
config NFT_SET_BITMAP
tristate "Netfilter nf_tables bitmap set module"
help
This option adds the "bitmap" set type that is used to build sets
whose keys are smaller or equal to 16 bits.
config NFT_COUNTER config NFT_COUNTER
tristate "Netfilter nf_tables counter module" tristate "Netfilter nf_tables counter module"
help help
......
...@@ -78,7 +78,11 @@ nf_tables-objs := nf_tables_core.o nf_tables_api.o nft_chain_filter.o \ ...@@ -78,7 +78,11 @@ nf_tables-objs := nf_tables_core.o nf_tables_api.o nft_chain_filter.o \
nft_bitwise.o nft_byteorder.o nft_payload.o nft_lookup.o \ nft_bitwise.o nft_byteorder.o nft_payload.o nft_lookup.o \
nft_dynset.o nft_meta.o nft_rt.o nft_exthdr.o nft_dynset.o nft_meta.o nft_rt.o nft_exthdr.o
nf_tables_set-objs := nf_tables_set_core.o \
nft_set_hash.o nft_set_bitmap.o nft_set_rbtree.o
obj-$(CONFIG_NF_TABLES) += nf_tables.o obj-$(CONFIG_NF_TABLES) += nf_tables.o
obj-$(CONFIG_NF_TABLES_SET) += nf_tables_set.o
obj-$(CONFIG_NFT_COMPAT) += nft_compat.o obj-$(CONFIG_NFT_COMPAT) += nft_compat.o
obj-$(CONFIG_NFT_CONNLIMIT) += nft_connlimit.o obj-$(CONFIG_NFT_CONNLIMIT) += nft_connlimit.o
obj-$(CONFIG_NFT_NUMGEN) += nft_numgen.o obj-$(CONFIG_NFT_NUMGEN) += nft_numgen.o
...@@ -91,9 +95,6 @@ obj-$(CONFIG_NFT_QUEUE) += nft_queue.o ...@@ -91,9 +95,6 @@ obj-$(CONFIG_NFT_QUEUE) += nft_queue.o
obj-$(CONFIG_NFT_QUOTA) += nft_quota.o obj-$(CONFIG_NFT_QUOTA) += nft_quota.o
obj-$(CONFIG_NFT_REJECT) += nft_reject.o obj-$(CONFIG_NFT_REJECT) += nft_reject.o
obj-$(CONFIG_NFT_REJECT_INET) += nft_reject_inet.o obj-$(CONFIG_NFT_REJECT_INET) += nft_reject_inet.o
obj-$(CONFIG_NFT_SET_RBTREE) += nft_set_rbtree.o
obj-$(CONFIG_NFT_SET_HASH) += nft_set_hash.o
obj-$(CONFIG_NFT_SET_BITMAP) += nft_set_bitmap.o
obj-$(CONFIG_NFT_COUNTER) += nft_counter.o obj-$(CONFIG_NFT_COUNTER) += nft_counter.o
obj-$(CONFIG_NFT_LOG) += nft_log.o obj-$(CONFIG_NFT_LOG) += nft_log.o
obj-$(CONFIG_NFT_MASQ) += nft_masq.o obj-$(CONFIG_NFT_MASQ) += nft_masq.o
......
/* SPDX-License-Identifier: GPL-2.0 */
#include <net/netfilter/nf_tables_core.h>
static int __init nf_tables_set_module_init(void)
{
nft_register_set(&nft_set_hash_fast_type);
nft_register_set(&nft_set_hash_type);
nft_register_set(&nft_set_rhash_type);
nft_register_set(&nft_set_bitmap_type);
nft_register_set(&nft_set_rbtree_type);
return 0;
}
static void __exit nf_tables_set_module_exit(void)
{
nft_unregister_set(&nft_set_rbtree_type);
nft_unregister_set(&nft_set_bitmap_type);
nft_unregister_set(&nft_set_rhash_type);
nft_unregister_set(&nft_set_hash_type);
nft_unregister_set(&nft_set_hash_fast_type);
}
module_init(nf_tables_set_module_init);
module_exit(nf_tables_set_module_exit);
MODULE_LICENSE("GPL");
MODULE_ALIAS_NFT_SET();
...@@ -296,7 +296,7 @@ static bool nft_bitmap_estimate(const struct nft_set_desc *desc, u32 features, ...@@ -296,7 +296,7 @@ static bool nft_bitmap_estimate(const struct nft_set_desc *desc, u32 features,
return true; return true;
} }
static struct nft_set_type nft_bitmap_type __read_mostly = { struct nft_set_type nft_set_bitmap_type __read_mostly = {
.owner = THIS_MODULE, .owner = THIS_MODULE,
.ops = { .ops = {
.privsize = nft_bitmap_privsize, .privsize = nft_bitmap_privsize,
...@@ -314,20 +314,3 @@ static struct nft_set_type nft_bitmap_type __read_mostly = { ...@@ -314,20 +314,3 @@ static struct nft_set_type nft_bitmap_type __read_mostly = {
.get = nft_bitmap_get, .get = nft_bitmap_get,
}, },
}; };
static int __init nft_bitmap_module_init(void)
{
return nft_register_set(&nft_bitmap_type);
}
static void __exit nft_bitmap_module_exit(void)
{
nft_unregister_set(&nft_bitmap_type);
}
module_init(nft_bitmap_module_init);
module_exit(nft_bitmap_module_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
MODULE_ALIAS_NFT_SET();
...@@ -654,7 +654,7 @@ static bool nft_hash_fast_estimate(const struct nft_set_desc *desc, u32 features ...@@ -654,7 +654,7 @@ static bool nft_hash_fast_estimate(const struct nft_set_desc *desc, u32 features
return true; return true;
} }
static struct nft_set_type nft_rhash_type __read_mostly = { struct nft_set_type nft_set_rhash_type __read_mostly = {
.owner = THIS_MODULE, .owner = THIS_MODULE,
.features = NFT_SET_MAP | NFT_SET_OBJECT | .features = NFT_SET_MAP | NFT_SET_OBJECT |
NFT_SET_TIMEOUT | NFT_SET_EVAL, NFT_SET_TIMEOUT | NFT_SET_EVAL,
...@@ -677,7 +677,7 @@ static struct nft_set_type nft_rhash_type __read_mostly = { ...@@ -677,7 +677,7 @@ static struct nft_set_type nft_rhash_type __read_mostly = {
}, },
}; };
static struct nft_set_type nft_hash_type __read_mostly = { struct nft_set_type nft_set_hash_type __read_mostly = {
.owner = THIS_MODULE, .owner = THIS_MODULE,
.features = NFT_SET_MAP | NFT_SET_OBJECT, .features = NFT_SET_MAP | NFT_SET_OBJECT,
.ops = { .ops = {
...@@ -697,7 +697,7 @@ static struct nft_set_type nft_hash_type __read_mostly = { ...@@ -697,7 +697,7 @@ static struct nft_set_type nft_hash_type __read_mostly = {
}, },
}; };
static struct nft_set_type nft_hash_fast_type __read_mostly = { struct nft_set_type nft_set_hash_fast_type __read_mostly = {
.owner = THIS_MODULE, .owner = THIS_MODULE,
.features = NFT_SET_MAP | NFT_SET_OBJECT, .features = NFT_SET_MAP | NFT_SET_OBJECT,
.ops = { .ops = {
...@@ -716,26 +716,3 @@ static struct nft_set_type nft_hash_fast_type __read_mostly = { ...@@ -716,26 +716,3 @@ static struct nft_set_type nft_hash_fast_type __read_mostly = {
.get = nft_hash_get, .get = nft_hash_get,
}, },
}; };
static int __init nft_hash_module_init(void)
{
if (nft_register_set(&nft_hash_fast_type) ||
nft_register_set(&nft_hash_type) ||
nft_register_set(&nft_rhash_type))
return 1;
return 0;
}
static void __exit nft_hash_module_exit(void)
{
nft_unregister_set(&nft_rhash_type);
nft_unregister_set(&nft_hash_type);
nft_unregister_set(&nft_hash_fast_type);
}
module_init(nft_hash_module_init);
module_exit(nft_hash_module_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
MODULE_ALIAS_NFT_SET();
...@@ -462,7 +462,7 @@ static bool nft_rbtree_estimate(const struct nft_set_desc *desc, u32 features, ...@@ -462,7 +462,7 @@ static bool nft_rbtree_estimate(const struct nft_set_desc *desc, u32 features,
return true; return true;
} }
static struct nft_set_type nft_rbtree_type __read_mostly = { struct nft_set_type nft_set_rbtree_type __read_mostly = {
.owner = THIS_MODULE, .owner = THIS_MODULE,
.features = NFT_SET_INTERVAL | NFT_SET_MAP | NFT_SET_OBJECT | NFT_SET_TIMEOUT, .features = NFT_SET_INTERVAL | NFT_SET_MAP | NFT_SET_OBJECT | NFT_SET_TIMEOUT,
.ops = { .ops = {
...@@ -481,20 +481,3 @@ static struct nft_set_type nft_rbtree_type __read_mostly = { ...@@ -481,20 +481,3 @@ static struct nft_set_type nft_rbtree_type __read_mostly = {
.get = nft_rbtree_get, .get = nft_rbtree_get,
}, },
}; };
static int __init nft_rbtree_module_init(void)
{
return nft_register_set(&nft_rbtree_type);
}
static void __exit nft_rbtree_module_exit(void)
{
nft_unregister_set(&nft_rbtree_type);
}
module_init(nft_rbtree_module_init);
module_exit(nft_rbtree_module_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
MODULE_ALIAS_NFT_SET();
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment