net: netfilter: Add kfuncs to set and change CT timeout
Introduce bpf_ct_set_timeout and bpf_ct_change_timeout kfunc helpers in order to change nf_conn timeout. This is same as ctnetlink_change_timeout, hence code is shared between both by extracting it out to __nf_ct_change_timeout. It is also updated to return an error when it sees IPS_FIXED_TIMEOUT_BIT bit in ct->status, as that check was missing. It is required to introduce two kfuncs taking nf_conn___init and nf_conn instead of sharing one because KF_TRUSTED_ARGS flag causes strict type checking. This would disallow passing nf_conn___init to kfunc taking nf_conn, and vice versa. We cannot remove the KF_TRUSTED_ARGS flag as we only want to accept refcounted pointers and not e.g. ct->master. Apart from this, bpf_ct_set_timeout is only called for newly allocated CT so it doesn't need to inspect the status field just yet. Sharing the helpers even if it was possible would make timeout setting helper sensitive to order of setting status and timeout after allocation. Hence, bpf_ct_set_* kfuncs are meant to be used on allocated CT, and bpf_ct_change_* kfuncs are meant to be used on inserted or looked up CT entry. Co-developed-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com> Link: https://lore.kernel.org/r/20220721134245.2450-9-memxor@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
This commit is contained in:
Родитель
d7e79c97c0
Коммит
0b38923644
|
@ -97,6 +97,8 @@ static inline void __nf_ct_set_timeout(struct nf_conn *ct, u64 timeout)
|
|||
WRITE_ONCE(ct->timeout, nfct_time_stamp + (u32)timeout);
|
||||
}
|
||||
|
||||
int __nf_ct_change_timeout(struct nf_conn *ct, u64 cta_timeout);
|
||||
|
||||
#endif
|
||||
|
||||
#endif /* _NF_CONNTRACK_CORE_H */
|
||||
|
|
|
@ -331,12 +331,12 @@ bpf_skb_ct_lookup(struct __sk_buff *skb_ctx, struct bpf_sock_tuple *bpf_tuple,
|
|||
*
|
||||
* This must be invoked for referenced PTR_TO_BTF_ID.
|
||||
*
|
||||
* @nfct__ref - Pointer to referenced nf_conn___init object, obtained
|
||||
* @nfct - Pointer to referenced nf_conn___init object, obtained
|
||||
* using bpf_xdp_ct_alloc or bpf_skb_ct_alloc.
|
||||
*/
|
||||
struct nf_conn *bpf_ct_insert_entry(struct nf_conn___init *nfct__ref)
|
||||
struct nf_conn *bpf_ct_insert_entry(struct nf_conn___init *nfct_i)
|
||||
{
|
||||
struct nf_conn *nfct = (struct nf_conn *)nfct__ref;
|
||||
struct nf_conn *nfct = (struct nf_conn *)nfct_i;
|
||||
int err;
|
||||
|
||||
err = nf_conntrack_hash_check_insert(nfct);
|
||||
|
@ -364,6 +364,36 @@ void bpf_ct_release(struct nf_conn *nfct)
|
|||
nf_ct_put(nfct);
|
||||
}
|
||||
|
||||
/* bpf_ct_set_timeout - Set timeout of allocated nf_conn
|
||||
*
|
||||
* Sets the default timeout of newly allocated nf_conn before insertion.
|
||||
* This helper must be invoked for refcounted pointer to nf_conn___init.
|
||||
*
|
||||
* Parameters:
|
||||
* @nfct - Pointer to referenced nf_conn object, obtained using
|
||||
* bpf_xdp_ct_alloc or bpf_skb_ct_alloc.
|
||||
* @timeout - Timeout in msecs.
|
||||
*/
|
||||
void bpf_ct_set_timeout(struct nf_conn___init *nfct, u32 timeout)
|
||||
{
|
||||
__nf_ct_set_timeout((struct nf_conn *)nfct, msecs_to_jiffies(timeout));
|
||||
}
|
||||
|
||||
/* bpf_ct_change_timeout - Change timeout of inserted nf_conn
|
||||
*
|
||||
* Change timeout associated of the inserted or looked up nf_conn.
|
||||
* This helper must be invoked for refcounted pointer to nf_conn.
|
||||
*
|
||||
* Parameters:
|
||||
* @nfct - Pointer to referenced nf_conn object, obtained using
|
||||
* bpf_ct_insert_entry, bpf_xdp_ct_lookup, or bpf_skb_ct_lookup.
|
||||
* @timeout - New timeout in msecs.
|
||||
*/
|
||||
int bpf_ct_change_timeout(struct nf_conn *nfct, u32 timeout)
|
||||
{
|
||||
return __nf_ct_change_timeout(nfct, msecs_to_jiffies(timeout));
|
||||
}
|
||||
|
||||
__diag_pop()
|
||||
|
||||
BTF_SET8_START(nf_ct_kfunc_set)
|
||||
|
@ -373,6 +403,8 @@ BTF_ID_FLAGS(func, bpf_skb_ct_alloc, KF_ACQUIRE | KF_RET_NULL)
|
|||
BTF_ID_FLAGS(func, bpf_skb_ct_lookup, KF_ACQUIRE | KF_RET_NULL)
|
||||
BTF_ID_FLAGS(func, bpf_ct_insert_entry, KF_ACQUIRE | KF_RET_NULL | KF_RELEASE)
|
||||
BTF_ID_FLAGS(func, bpf_ct_release, KF_RELEASE)
|
||||
BTF_ID_FLAGS(func, bpf_ct_set_timeout, KF_TRUSTED_ARGS)
|
||||
BTF_ID_FLAGS(func, bpf_ct_change_timeout, KF_TRUSTED_ARGS)
|
||||
BTF_SET8_END(nf_ct_kfunc_set)
|
||||
|
||||
static const struct btf_kfunc_id_set nf_conntrack_kfunc_set = {
|
||||
|
|
|
@ -2786,3 +2786,25 @@ err_expect:
|
|||
free_percpu(net->ct.stat);
|
||||
return ret;
|
||||
}
|
||||
|
||||
#if (IS_BUILTIN(CONFIG_NF_CONNTRACK) && IS_ENABLED(CONFIG_DEBUG_INFO_BTF)) || \
|
||||
(IS_MODULE(CONFIG_NF_CONNTRACK) && IS_ENABLED(CONFIG_DEBUG_INFO_BTF_MODULES) || \
|
||||
IS_ENABLED(CONFIG_NF_CT_NETLINK))
|
||||
|
||||
/* ctnetlink code shared by both ctnetlink and nf_conntrack_bpf */
|
||||
|
||||
int __nf_ct_change_timeout(struct nf_conn *ct, u64 timeout)
|
||||
{
|
||||
if (test_bit(IPS_FIXED_TIMEOUT_BIT, &ct->status))
|
||||
return -EPERM;
|
||||
|
||||
__nf_ct_set_timeout(ct, timeout);
|
||||
|
||||
if (test_bit(IPS_DYING_BIT, &ct->status))
|
||||
return -ETIME;
|
||||
|
||||
return 0;
|
||||
}
|
||||
EXPORT_SYMBOL_GPL(__nf_ct_change_timeout);
|
||||
|
||||
#endif
|
||||
|
|
|
@ -2023,14 +2023,7 @@ static int ctnetlink_change_helper(struct nf_conn *ct,
|
|||
static int ctnetlink_change_timeout(struct nf_conn *ct,
|
||||
const struct nlattr * const cda[])
|
||||
{
|
||||
u64 timeout = (u64)ntohl(nla_get_be32(cda[CTA_TIMEOUT])) * HZ;
|
||||
|
||||
__nf_ct_set_timeout(ct, timeout);
|
||||
|
||||
if (test_bit(IPS_DYING_BIT, &ct->status))
|
||||
return -ETIME;
|
||||
|
||||
return 0;
|
||||
return __nf_ct_change_timeout(ct, (u64)ntohl(nla_get_be32(cda[CTA_TIMEOUT])) * HZ);
|
||||
}
|
||||
|
||||
#if defined(CONFIG_NF_CONNTRACK_MARK)
|
||||
|
|
Загрузка…
Ссылка в новой задаче