public-mirrors/linux
1
0
Fork 0
mirror of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2025-09-18 22:14:16 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

netfilter: nf_tables: make nft_set_do_lookup available unconditionally

Browse source 
This function was added for retpoline mitigation and is replaced by a
static inline helper if mitigations are not enabled.

Enable this helper function unconditionally so next patch can add a lookup
restart mechanism to fix possible false negatives while transactions are
in progress.

Adding lookup restarts in nft_lookup_eval doesn't work as nft_objref would
then need the same copypaste loop.

This patch is separate to ease review of the actual bug fix.

Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
This commit is contained in:
Florian Westphal 2025-09-10 10:02:21 +02:00
parent 64102d9bbc
commit 11fe5a82e5
2 changed files with 14 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
include/net/netfilter/nf_tables_core.h
View file

@ -109,17 +109,11 @@ nft_hash_lookup_fast(const struct net *net, const struct nft_set *set,
const struct nft_set_ext * const struct nft_set_ext *
nft_hash_lookup(const struct net *net, const struct nft_set *set, nft_hash_lookup(const struct net *net, const struct nft_set *set,
const u32 *key); const u32 *key);
#endif
const struct nft_set_ext * const struct nft_set_ext *
nft_set_do_lookup(const struct net *net, const struct nft_set *set, nft_set_do_lookup(const struct net *net, const struct nft_set *set,
const u32 *key); const u32 *key);
#else
static inline const struct nft_set_ext *
nft_set_do_lookup(const struct net *net, const struct nft_set *set,
const u32 *key)
{
return set->ops->lookup(net, set, key);
}
#endif
/* called from nft_pipapo_avx2.c */ /* called from nft_pipapo_avx2.c */
const struct nft_set_ext * const struct nft_set_ext *

15
net/netfilter/nft_lookup.c
View file

@ -24,11 +24,11 @@ struct nft_lookup {
struct nft_set_binding binding; struct nft_set_binding binding;
}; };
#ifdef CONFIG_MITIGATION_RETPOLINE static const struct nft_set_ext *
const struct nft_set_ext * __nft_set_do_lookup(const struct net *net, const struct nft_set *set,
nft_set_do_lookup(const struct net *net, const struct nft_set *set,
const u32 *key) const u32 *key)
{ {
#ifdef CONFIG_MITIGATION_RETPOLINE
if (set->ops == &nft_set_hash_fast_type.ops) if (set->ops == &nft_set_hash_fast_type.ops)
return nft_hash_lookup_fast(net, set, key); return nft_hash_lookup_fast(net, set, key);
if (set->ops == &nft_set_hash_type.ops) if (set->ops == &nft_set_hash_type.ops)
@ -51,10 +51,17 @@ nft_set_do_lookup(const struct net *net, const struct nft_set *set,
return nft_rbtree_lookup(net, set, key); return nft_rbtree_lookup(net, set, key);
WARN_ON_ONCE(1); WARN_ON_ONCE(1);
#endif
return set->ops->lookup(net, set, key); return set->ops->lookup(net, set, key);
} }
const struct nft_set_ext *
nft_set_do_lookup(const struct net *net, const struct nft_set *set,
const u32 *key)
{
return __nft_set_do_lookup(net, set, key);
}
EXPORT_SYMBOL_GPL(nft_set_do_lookup); EXPORT_SYMBOL_GPL(nft_set_do_lookup);
#endif
void nft_lookup_eval(const struct nft_expr *expr, void nft_lookup_eval(const struct nft_expr *expr,
struct nft_regs *regs, struct nft_regs *regs,