Commit 151d799a authored by Patrick McHardy's avatar Patrick McHardy Committed by Pablo Neira Ayuso

netfilter: nf_tables: mark stateful expressions

Add a flag to mark stateful expressions.

This is used for dynamic expression instanstiation to limit the usable
expressions. Strictly speaking only the dynset expression can not be
used in order to avoid recursion, but since dynamically instantiating
non-stateful expressions will simply create an identical copy, which
behaves no differently than the original, this limits to expressions
where it actually makes sense to dynamically instantiate them.
Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent f25ad2e9
...@@ -583,6 +583,7 @@ static inline void nft_set_gc_batch_add(struct nft_set_gc_batch *gcb, ...@@ -583,6 +583,7 @@ static inline void nft_set_gc_batch_add(struct nft_set_gc_batch *gcb,
* @policy: netlink attribute policy * @policy: netlink attribute policy
* @maxattr: highest netlink attribute number * @maxattr: highest netlink attribute number
* @family: address family for AF-specific types * @family: address family for AF-specific types
* @flags: expression type flags
*/ */
struct nft_expr_type { struct nft_expr_type {
const struct nft_expr_ops *(*select_ops)(const struct nft_ctx *, const struct nft_expr_ops *(*select_ops)(const struct nft_ctx *,
...@@ -594,8 +595,11 @@ struct nft_expr_type { ...@@ -594,8 +595,11 @@ struct nft_expr_type {
const struct nla_policy *policy; const struct nla_policy *policy;
unsigned int maxattr; unsigned int maxattr;
u8 family; u8 family;
u8 flags;
}; };
#define NFT_EXPR_STATEFUL 0x1
/** /**
* struct nft_expr_ops - nf_tables expression operations * struct nft_expr_ops - nf_tables expression operations
* *
......
...@@ -92,6 +92,7 @@ static struct nft_expr_type nft_counter_type __read_mostly = { ...@@ -92,6 +92,7 @@ static struct nft_expr_type nft_counter_type __read_mostly = {
.ops = &nft_counter_ops, .ops = &nft_counter_ops,
.policy = nft_counter_policy, .policy = nft_counter_policy,
.maxattr = NFTA_COUNTER_MAX, .maxattr = NFTA_COUNTER_MAX,
.flags = NFT_EXPR_STATEFUL,
.owner = THIS_MODULE, .owner = THIS_MODULE,
}; };
......
...@@ -98,6 +98,7 @@ static struct nft_expr_type nft_limit_type __read_mostly = { ...@@ -98,6 +98,7 @@ static struct nft_expr_type nft_limit_type __read_mostly = {
.ops = &nft_limit_ops, .ops = &nft_limit_ops,
.policy = nft_limit_policy, .policy = nft_limit_policy,
.maxattr = NFTA_LIMIT_MAX, .maxattr = NFTA_LIMIT_MAX,
.flags = NFT_EXPR_STATEFUL,
.owner = THIS_MODULE, .owner = THIS_MODULE,
}; };
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment