git.baikalelectronics.ru Git - kernel.git/commit

author	Pablo Neira Ayuso <pablo@netfilter.org>
	Mon, 15 Feb 2021 11:28:07 +0000 (12:28 +0100)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Mon, 15 Feb 2021 17:17:15 +0000 (18:17 +0100)
commit	10e0d9638f2023622123b8761f432a5d757c54f7
tree	db2b5e9f51bac22a1192ac6e526204c57799c21a	tree \| snapshot
parent	528d560d0a9acb9a24a52476f65f7179388dffa8	commit \| diff

netfilter: nftables: introduce table ownership

A userspace daemon like firewalld might need to monitor for netlink
updates to detect its ruleset removal by the (global) flush ruleset
command to ensure ruleset persistency. This adds extra complexity from
userspace and, for some little time, the firewall policy is not in
place.

This patch adds the NFT_TABLE_F_OWNER flag which allows a userspace
program to own the table that creates in exclusivity.

Tables that are owned...

- can only be updated and removed by the owner, non-owners hit EPERM if
they try to update it or remove it.
- are destroyed when the owner closes the netlink socket or the process
is gone (implicit netlink socket closure).
- are skipped by the global flush ruleset command.
- are listed in the global ruleset.

The userspace process that sets on the NFT_TABLE_F_OWNER flag need to
leave open the netlink socket.

A new NFTA_TABLE_OWNER netlink attribute specifies the netlink port ID
to identify the owner from userspace.

This patch also updates error reporting when an unknown table flag is
specified to change it from EINVAL to EOPNOTSUPP given that EINVAL is
usually reserved to report for malformed netlink messages to userspace.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

include/net/netfilter/nf_tables.h		diff \| blob \| history
include/uapi/linux/netfilter/nf_tables.h		diff \| blob \| history
net/netfilter/nf_tables_api.c		diff \| blob \| history