Commit 5467a512 authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso

netfilter: nf_tables: fix goto action

This patch fixes a crash when trying to access the counters and the
default chain policy from the non-base chain that we have reached
via the goto chain. Fix this by falling back on the original base
chain after returning from the custom chain.

While fixing this, kill the inline function to account chain statistics
to improve source code readability.
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent d088be80
...@@ -66,20 +66,6 @@ struct nft_jumpstack { ...@@ -66,20 +66,6 @@ struct nft_jumpstack {
int rulenum; int rulenum;
}; };
static inline void
nft_chain_stats(const struct nft_chain *this, const struct nft_pktinfo *pkt,
struct nft_jumpstack *jumpstack, unsigned int stackptr)
{
struct nft_stats __percpu *stats;
const struct nft_chain *chain = stackptr ? jumpstack[0].chain : this;
rcu_read_lock_bh();
stats = rcu_dereference(nft_base_chain(chain)->stats);
__this_cpu_inc(stats->pkts);
__this_cpu_add(stats->bytes, pkt->skb->len);
rcu_read_unlock_bh();
}
enum nft_trace { enum nft_trace {
NFT_TRACE_RULE, NFT_TRACE_RULE,
NFT_TRACE_RETURN, NFT_TRACE_RETURN,
...@@ -117,12 +103,13 @@ static void nft_trace_packet(const struct nft_pktinfo *pkt, ...@@ -117,12 +103,13 @@ static void nft_trace_packet(const struct nft_pktinfo *pkt,
unsigned int unsigned int
nft_do_chain(struct nft_pktinfo *pkt, const struct nf_hook_ops *ops) nft_do_chain(struct nft_pktinfo *pkt, const struct nf_hook_ops *ops)
{ {
const struct nft_chain *chain = ops->priv; const struct nft_chain *chain = ops->priv, *basechain = chain;
const struct nft_rule *rule; const struct nft_rule *rule;
const struct nft_expr *expr, *last; const struct nft_expr *expr, *last;
struct nft_data data[NFT_REG_MAX + 1]; struct nft_data data[NFT_REG_MAX + 1];
unsigned int stackptr = 0; unsigned int stackptr = 0;
struct nft_jumpstack jumpstack[NFT_JUMP_STACK_SIZE]; struct nft_jumpstack jumpstack[NFT_JUMP_STACK_SIZE];
struct nft_stats __percpu *stats;
int rulenum; int rulenum;
/* /*
* Cache cursor to avoid problems in case that the cursor is updated * Cache cursor to avoid problems in case that the cursor is updated
...@@ -209,12 +196,17 @@ nft_do_chain(struct nft_pktinfo *pkt, const struct nf_hook_ops *ops) ...@@ -209,12 +196,17 @@ nft_do_chain(struct nft_pktinfo *pkt, const struct nf_hook_ops *ops)
rulenum = jumpstack[stackptr].rulenum; rulenum = jumpstack[stackptr].rulenum;
goto next_rule; goto next_rule;
} }
nft_chain_stats(chain, pkt, jumpstack, stackptr);
if (unlikely(pkt->skb->nf_trace)) if (unlikely(pkt->skb->nf_trace))
nft_trace_packet(pkt, chain, ++rulenum, NFT_TRACE_POLICY); nft_trace_packet(pkt, basechain, ++rulenum, NFT_TRACE_POLICY);
rcu_read_lock_bh();
stats = rcu_dereference(nft_base_chain(basechain)->stats);
__this_cpu_inc(stats->pkts);
__this_cpu_add(stats->bytes, pkt->skb->len);
rcu_read_unlock_bh();
return nft_base_chain(chain)->policy; return nft_base_chain(basechain)->policy;
} }
EXPORT_SYMBOL_GPL(nft_do_chain); EXPORT_SYMBOL_GPL(nft_do_chain);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment