netfilter: nf_tables: make sets built-in (e32a4dc6) · Commits · 戴 / test

include/net/netfilter/nf_tables.h

+0 −6

Original line number	Diff line number	Diff line
		@@ -397,9 +397,6 @@ struct nft_set_type {
		};
		#define to_set_type(o) container_of(o, struct nft_set_type, ops)

		int nft_register_set(struct nft_set_type *type);
		void nft_unregister_set(struct nft_set_type *type);

		/**
		* struct nft_set - nf_tables set instance
		*
		@@ -1253,9 +1250,6 @@ void nft_trace_notify(struct nft_traceinfo *info);
		#define MODULE_ALIAS_NFT_EXPR(name) \
		MODULE_ALIAS("nft-expr-" name)

		#define MODULE_ALIAS_NFT_SET() \
		MODULE_ALIAS("nft-set")

		#define MODULE_ALIAS_NFT_OBJ(type) \
		MODULE_ALIAS("nft-obj-" __stringify(type))

net/netfilter/Kconfig

+0 −8

Original line number	Diff line number	Diff line
		@@ -455,14 +455,6 @@ config NF_TABLES
		To compile it as a module, choose M here.

		if NF_TABLES

		config NF_TABLES_SET
		tristate "Netfilter nf_tables set infrastructure"
		help
		This option enables the nf_tables set infrastructure that allows to
		look up for elements in a set and to build one-way mappings between
		matchings and actions.

		config NF_TABLES_INET
		depends on IPV6
		select NF_TABLES_IPV4

net/netfilter/Makefile

+3 −6

Original line number	Diff line number	Diff line
		@@ -78,14 +78,11 @@ nf_tables-objs := nf_tables_core.o nf_tables_api.o nft_chain_filter.o \
		nf_tables_trace.o nft_immediate.o nft_cmp.o nft_range.o \
		nft_bitwise.o nft_byteorder.o nft_payload.o nft_lookup.o \
		nft_dynset.o nft_meta.o nft_rt.o nft_exthdr.o \
		nft_chain_route.o nf_tables_offload.o

		nf_tables_set-objs := nf_tables_set_core.o \
		nft_chain_route.o nf_tables_offload.o \
		nft_set_hash.o nft_set_bitmap.o nft_set_rbtree.o \
		nft_set_pipapo.o

		obj-$(CONFIG_NF_TABLES) += nf_tables.o
		obj-$(CONFIG_NF_TABLES_SET) += nf_tables_set.o
		obj-$(CONFIG_NFT_COMPAT) += nft_compat.o
		obj-$(CONFIG_NFT_CONNLIMIT) += nft_connlimit.o
		obj-$(CONFIG_NFT_NUMGEN) += nft_numgen.o

net/netfilter/nf_tables_api.c

+12 −29

Original line number	Diff line number	Diff line
		@@ -3266,25 +3266,14 @@ static int nf_tables_delrule(struct net net, struct sock nlsk,
		/*
		* Sets
		*/

		static LIST_HEAD(nf_tables_set_types);

		int nft_register_set(struct nft_set_type *type)
		{
		nfnl_lock(NFNL_SUBSYS_NFTABLES);
		list_add_tail_rcu(&type->list, &nf_tables_set_types);
		nfnl_unlock(NFNL_SUBSYS_NFTABLES);
		return 0;
		}
		EXPORT_SYMBOL_GPL(nft_register_set);

		void nft_unregister_set(struct nft_set_type *type)
		{
		nfnl_lock(NFNL_SUBSYS_NFTABLES);
		list_del_rcu(&type->list);
		nfnl_unlock(NFNL_SUBSYS_NFTABLES);
		}
		EXPORT_SYMBOL_GPL(nft_unregister_set);
		static const struct nft_set_type *nft_set_types[] = {
		&nft_set_hash_fast_type,
		&nft_set_hash_type,
		&nft_set_rhash_type,
		&nft_set_bitmap_type,
		&nft_set_rbtree_type,
		&nft_set_pipapo_type,
		};

		#define NFT_SET_FEATURES (NFT_SET_INTERVAL \| NFT_SET_MAP \| \
		NFT_SET_TIMEOUT \| NFT_SET_OBJECT \| \
		@@ -3310,15 +3299,11 @@ nft_select_set_ops(const struct nft_ctx *ctx,
		struct nft_set_estimate est, best;
		const struct nft_set_type *type;
		u32 flags = 0;
		int i;

		lockdep_assert_held(&ctx->net->nft.commit_mutex);
		lockdep_nfnl_nft_mutex_not_held();
		#ifdef CONFIG_MODULES
		if (list_empty(&nf_tables_set_types)) {
		if (nft_request_module(ctx->net, "nft-set") == -EAGAIN)
		return ERR_PTR(-EAGAIN);
		}
		#endif

		if (nla[NFTA_SET_FLAGS] != NULL)
		flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));

		@@ -3327,7 +3312,8 @@ nft_select_set_ops(const struct nft_ctx *ctx,
		best.lookup = ~0;
		best.space = ~0;

		list_for_each_entry(type, &nf_tables_set_types, list) {
		for (i = 0; i < ARRAY_SIZE(nft_set_types); i++) {
		type = nft_set_types[i];
		ops = &type->ops;

		if (!nft_set_ops_candidate(type, flags))
		@@ -4312,7 +4298,6 @@ const struct nft_set_ext_type nft_set_ext_types[] = {
		.align = __alignof__(u32),
		},
		};
		EXPORT_SYMBOL_GPL(nft_set_ext_types);

		/*
		* Set elements
		@@ -5365,7 +5350,6 @@ void nft_set_gc_batch_release(struct rcu_head *rcu)
		nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
		kfree(gcb);
		}
		EXPORT_SYMBOL_GPL(nft_set_gc_batch_release);

		struct nft_set_gc_batch nft_set_gc_batch_alloc(const struct nft_set set,
		gfp_t gfp)
		@@ -5378,7 +5362,6 @@ struct nft_set_gc_batch nft_set_gc_batch_alloc(const struct nft_set set,
		gcb->head.set = set;
		return gcb;
		}
		EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc);

		/*
		* Stateful objects

net/netfilter/nf_tables_set_core.c

deleted100644 → 0

+0 −31

Original line number	Diff line number	Diff line
		/* SPDX-License-Identifier: GPL-2.0 */
		#include <linux/module.h>
		#include <net/netfilter/nf_tables_core.h>

		static int __init nf_tables_set_module_init(void)
		{
		nft_register_set(&nft_set_hash_fast_type);
		nft_register_set(&nft_set_hash_type);
		nft_register_set(&nft_set_rhash_type);
		nft_register_set(&nft_set_bitmap_type);
		nft_register_set(&nft_set_rbtree_type);
		nft_register_set(&nft_set_pipapo_type);

		return 0;
		}

		static void __exit nf_tables_set_module_exit(void)
		{
		nft_unregister_set(&nft_set_pipapo_type);
		nft_unregister_set(&nft_set_rbtree_type);
		nft_unregister_set(&nft_set_bitmap_type);
		nft_unregister_set(&nft_set_rhash_type);
		nft_unregister_set(&nft_set_hash_type);
		nft_unregister_set(&nft_set_hash_fast_type);
		}

		module_init(nf_tables_set_module_init);
		module_exit(nf_tables_set_module_exit);

		MODULE_LICENSE("GPL");
		MODULE_ALIAS_NFT_SET();

Admin message