Skip to content

Commit

Permalink
Merge tag 'nf-next-24-06-28' of git://git.kernel.org/pub/scm/linux/ke…
Browse files Browse the repository at this point in the history 
…rnel/git/netfilter/nf-next into main

Pablo Neira Ayuso says:

====================
Netfilter/IPVS updates for net-next

The following patchset contains Netfilter/IPVS updates for net-next:

Patch #1 to #11 to shrink memory consumption for transaction objects:

  struct nft_trans_chain { /* size: 120 (-32), cachelines: 2, members: 10 */
  struct nft_trans_elem { /* size: 72 (-40), cachelines: 2, members: 4 */
  struct nft_trans_flowtable { /* size: 80 (-48), cachelines: 2, members: 5 */
  struct nft_trans_obj { /* size: 72 (-40), cachelines: 2, members: 4 */
  struct nft_trans_rule { /* size: 80 (-32), cachelines: 2, members: 6 */
  struct nft_trans_set { /* size: 96 (-24), cachelines: 2, members: 8 */
  struct nft_trans_table { /* size: 56 (-40), cachelines: 1, members: 2 */

  struct nft_trans_elem can now be allocated from kmalloc-96 instead of
  kmalloc-128 slab.

  Series from Florian Westphal. For the record, I have mangled patch #1
  to add nft_trans_container_*() and use if for every transaction object.
   I have also added BUILD_BUG_ON to ensure struct nft_trans always comes
  at the beginning of the container transaction object. And few minor
  cleanups, any new bugs are of my own.

Patch #12 simplify check for SCTP GSO in IPVS, from Ismael Luceno.

Patch #13 nf_conncount key length remains in the u32 bound, from Yunjian Wang.

Patch #14 removes unnecessary check for CTA_TIMEOUT_L3PROTO when setting
          default conntrack timeouts via nfnetlink_cttimeout API, from
          Lin Ma.

Patch #15 updates NFT_SECMARK_CTX_MAXLEN to 4096, SELinux could use
          larger secctx names than the existing 256 bytes length.

Patch #16 adds a selftest to exercise nfnetlink_queue listeners leaving
          nfnetlink_queue, from Florian Westphal.

Patch #17 increases hitcount from 255 to 65535 in xt_recent, from Phil Sutter.
====================

Signed-off-by: David S. Miller <[email protected]>
  • Loading branch information
@davem330
davem330 committed Jul 1, 2024
2 parents a051091 + f4ebd03 commit 1c5fc27
Show file tree
Hide file tree
Showing 10 changed files with 459 additions and 278 deletions.
222 changes: 146 additions & 76 deletions include/net/netfilter/nf_tables.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1176,7 +1176,7 @@ static inline bool nft_chain_is_bound(struct nft_chain *chain)

int nft_chain_add(struct nft_table *table, struct nft_chain *chain);
void nft_chain_del(struct nft_chain *chain);
void nf_tables_chain_destroy(struct nft_ctx *ctx);
void nf_tables_chain_destroy(struct nft_chain *chain);

struct nft_stats {
u64 bytes;
Expand Down Expand Up @@ -1613,41 +1613,67 @@ static inline int nft_set_elem_is_dead(const struct nft_set_ext *ext)
}

/**
* struct nft_trans - nf_tables object update in transaction
* struct nft_trans - nf_tables object update in transaction
*
* @list: used internally
* @binding_list: list of objects with possible bindings
* @msg_type: message type
* @put_net: ctx->net needs to be put
* @ctx: transaction context
* @data: internal information related to the transaction
* @list: used internally
* @net: struct net
* @table: struct nft_table the object resides in
* @msg_type: message type
* @seq: netlink sequence number
* @flags: modifiers to new request
* @report: notify via unicast netlink message
* @put_net: net needs to be put
*
* This is the information common to all objects in the transaction,
* this must always be the first member of derived sub-types.
*/
struct nft_trans {
struct list_head list;
struct list_head binding_list;
struct net *net;
struct nft_table *table;
int msg_type;
bool put_net;
struct nft_ctx ctx;
char data[];
u32 seq;
u16 flags;
u8 report:1;
u8 put_net:1;
};

/**
* struct nft_trans_binding - nf_tables object with binding support in transaction
* @nft_trans: base structure, MUST be first member
* @binding_list: list of objects with possible bindings
*
* This is the base type used by objects that can be bound to a chain.
*/
struct nft_trans_binding {
struct nft_trans nft_trans;
struct list_head binding_list;
};

struct nft_trans_rule {
struct nft_trans nft_trans;
struct nft_rule *rule;
struct nft_chain *chain;
struct nft_flow_rule *flow;
u32 rule_id;
bool bound;
};

#define nft_trans_rule(trans) \
(((struct nft_trans_rule *)trans->data)->rule)
#define nft_trans_flow_rule(trans) \
(((struct nft_trans_rule *)trans->data)->flow)
#define nft_trans_rule_id(trans) \
(((struct nft_trans_rule *)trans->data)->rule_id)
#define nft_trans_rule_bound(trans) \
(((struct nft_trans_rule *)trans->data)->bound)
#define nft_trans_container_rule(trans) \
container_of(trans, struct nft_trans_rule, nft_trans)
#define nft_trans_rule(trans) \
nft_trans_container_rule(trans)->rule
#define nft_trans_flow_rule(trans) \
nft_trans_container_rule(trans)->flow
#define nft_trans_rule_id(trans) \
nft_trans_container_rule(trans)->rule_id
#define nft_trans_rule_bound(trans) \
nft_trans_container_rule(trans)->bound
#define nft_trans_rule_chain(trans) \
nft_trans_container_rule(trans)->chain

struct nft_trans_set {
struct nft_trans_binding nft_trans_binding;
struct nft_set *set;
u32 set_id;
u32 gc_int;
Expand All @@ -1657,100 +1683,117 @@ struct nft_trans_set {
u32 size;
};

#define nft_trans_set(trans) \
(((struct nft_trans_set *)trans->data)->set)
#define nft_trans_set_id(trans) \
(((struct nft_trans_set *)trans->data)->set_id)
#define nft_trans_set_bound(trans) \
(((struct nft_trans_set *)trans->data)->bound)
#define nft_trans_set_update(trans) \
(((struct nft_trans_set *)trans->data)->update)
#define nft_trans_set_timeout(trans) \
(((struct nft_trans_set *)trans->data)->timeout)
#define nft_trans_set_gc_int(trans) \
(((struct nft_trans_set *)trans->data)->gc_int)
#define nft_trans_set_size(trans) \
(((struct nft_trans_set *)trans->data)->size)
#define nft_trans_container_set(t) \
container_of(t, struct nft_trans_set, nft_trans_binding.nft_trans)
#define nft_trans_set(trans) \
nft_trans_container_set(trans)->set
#define nft_trans_set_id(trans) \
nft_trans_container_set(trans)->set_id
#define nft_trans_set_bound(trans) \
nft_trans_container_set(trans)->bound
#define nft_trans_set_update(trans) \
nft_trans_container_set(trans)->update
#define nft_trans_set_timeout(trans) \
nft_trans_container_set(trans)->timeout
#define nft_trans_set_gc_int(trans) \
nft_trans_container_set(trans)->gc_int
#define nft_trans_set_size(trans) \
nft_trans_container_set(trans)->size

struct nft_trans_chain {
struct nft_trans_binding nft_trans_binding;
struct nft_chain *chain;
bool update;
char *name;
struct nft_stats __percpu *stats;
u8 policy;
bool update;
bool bound;
u32 chain_id;
struct nft_base_chain *basechain;
struct list_head hook_list;
};

#define nft_trans_chain(trans) \
(((struct nft_trans_chain *)trans->data)->chain)
#define nft_trans_chain_update(trans) \
(((struct nft_trans_chain *)trans->data)->update)
#define nft_trans_chain_name(trans) \
(((struct nft_trans_chain *)trans->data)->name)
#define nft_trans_chain_stats(trans) \
(((struct nft_trans_chain *)trans->data)->stats)
#define nft_trans_chain_policy(trans) \
(((struct nft_trans_chain *)trans->data)->policy)
#define nft_trans_chain_bound(trans) \
(((struct nft_trans_chain *)trans->data)->bound)
#define nft_trans_chain_id(trans) \
(((struct nft_trans_chain *)trans->data)->chain_id)
#define nft_trans_basechain(trans) \
(((struct nft_trans_chain *)trans->data)->basechain)
#define nft_trans_chain_hooks(trans) \
(((struct nft_trans_chain *)trans->data)->hook_list)
#define nft_trans_container_chain(t) \
container_of(t, struct nft_trans_chain, nft_trans_binding.nft_trans)
#define nft_trans_chain(trans) \
nft_trans_container_chain(trans)->chain
#define nft_trans_chain_update(trans) \
nft_trans_container_chain(trans)->update
#define nft_trans_chain_name(trans) \
nft_trans_container_chain(trans)->name
#define nft_trans_chain_stats(trans) \
nft_trans_container_chain(trans)->stats
#define nft_trans_chain_policy(trans) \
nft_trans_container_chain(trans)->policy
#define nft_trans_chain_bound(trans) \
nft_trans_container_chain(trans)->bound
#define nft_trans_chain_id(trans) \
nft_trans_container_chain(trans)->chain_id
#define nft_trans_basechain(trans) \
nft_trans_container_chain(trans)->basechain
#define nft_trans_chain_hooks(trans) \
nft_trans_container_chain(trans)->hook_list

struct nft_trans_table {
struct nft_trans nft_trans;
bool update;
};

#define nft_trans_table_update(trans) \
(((struct nft_trans_table *)trans->data)->update)
#define nft_trans_container_table(trans) \
container_of(trans, struct nft_trans_table, nft_trans)
#define nft_trans_table_update(trans) \
nft_trans_container_table(trans)->update

struct nft_trans_elem {
struct nft_trans nft_trans;
struct nft_set *set;
struct nft_elem_priv *elem_priv;
bool bound;
};

#define nft_trans_elem_set(trans) \
(((struct nft_trans_elem *)trans->data)->set)
#define nft_trans_elem_priv(trans) \
(((struct nft_trans_elem *)trans->data)->elem_priv)
#define nft_trans_elem_set_bound(trans) \
(((struct nft_trans_elem *)trans->data)->bound)
#define nft_trans_container_elem(t) \
container_of(t, struct nft_trans_elem, nft_trans)
#define nft_trans_elem_set(trans) \
nft_trans_container_elem(trans)->set
#define nft_trans_elem_priv(trans) \
nft_trans_container_elem(trans)->elem_priv
#define nft_trans_elem_set_bound(trans) \
nft_trans_container_elem(trans)->bound

struct nft_trans_obj {
struct nft_trans nft_trans;
struct nft_object *obj;
struct nft_object *newobj;
bool update;
};

#define nft_trans_obj(trans) \
(((struct nft_trans_obj *)trans->data)->obj)
#define nft_trans_obj_newobj(trans) \
(((struct nft_trans_obj *)trans->data)->newobj)
#define nft_trans_obj_update(trans) \
(((struct nft_trans_obj *)trans->data)->update)
#define nft_trans_container_obj(t) \
container_of(t, struct nft_trans_obj, nft_trans)
#define nft_trans_obj(trans) \
nft_trans_container_obj(trans)->obj
#define nft_trans_obj_newobj(trans) \
nft_trans_container_obj(trans)->newobj
#define nft_trans_obj_update(trans) \
nft_trans_container_obj(trans)->update

struct nft_trans_flowtable {
struct nft_trans nft_trans;
struct nft_flowtable *flowtable;
bool update;
struct list_head hook_list;
u32 flags;
bool update;
};

#define nft_trans_flowtable(trans) \
(((struct nft_trans_flowtable *)trans->data)->flowtable)
#define nft_trans_flowtable_update(trans) \
(((struct nft_trans_flowtable *)trans->data)->update)
#define nft_trans_flowtable_hooks(trans) \
(((struct nft_trans_flowtable *)trans->data)->hook_list)
#define nft_trans_flowtable_flags(trans) \
(((struct nft_trans_flowtable *)trans->data)->flags)
#define nft_trans_container_flowtable(t) \
container_of(t, struct nft_trans_flowtable, nft_trans)
#define nft_trans_flowtable(trans) \
nft_trans_container_flowtable(trans)->flowtable
#define nft_trans_flowtable_update(trans) \
nft_trans_container_flowtable(trans)->update
#define nft_trans_flowtable_hooks(trans) \
nft_trans_container_flowtable(trans)->hook_list
#define nft_trans_flowtable_flags(trans) \
nft_trans_container_flowtable(trans)->flags

#define NFT_TRANS_GC_BATCHCOUNT 256

Expand All @@ -1764,6 +1807,33 @@ struct nft_trans_gc {
struct rcu_head rcu;
};

static inline void nft_ctx_update(struct nft_ctx *ctx,
const struct nft_trans *trans)
{
switch (trans->msg_type) {
case NFT_MSG_NEWRULE:
case NFT_MSG_DELRULE:
case NFT_MSG_DESTROYRULE:
ctx->chain = nft_trans_rule_chain(trans);
break;
case NFT_MSG_NEWCHAIN:
case NFT_MSG_DELCHAIN:
case NFT_MSG_DESTROYCHAIN:
ctx->chain = nft_trans_chain(trans);
break;
default:
ctx->chain = NULL;
break;
}

ctx->net = trans->net;
ctx->table = trans->table;
ctx->family = trans->table->family;
ctx->report = trans->report;
ctx->flags = trans->flags;
ctx->seq = trans->seq;
}

struct nft_trans_gc *nft_trans_gc_alloc(struct nft_set *set,
unsigned int gc_seq, gfp_t gfp);
void nft_trans_gc_destroy(struct nft_trans_gc *trans);
Expand Down
2 changes: 1 addition & 1 deletion include/uapi/linux/netfilter/nf_tables.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1376,7 +1376,7 @@ enum nft_secmark_attributes {
#define NFTA_SECMARK_MAX (__NFTA_SECMARK_MAX - 1)

/* Max security context length */
#define NFT_SECMARK_CTX_MAXLEN 256
#define NFT_SECMARK_CTX_MAXLEN 4096

/**
* enum nft_reject_types - nf_tables reject expression reject types
Expand Down
4 changes: 2 additions & 2 deletions net/netfilter/ipvs/ip_vs_proto_sctp.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -126,7 +126,7 @@ sctp_snat_handler(struct sk_buff *skb, struct ip_vs_protocol *pp,
if (sctph->source != cp->vport || payload_csum ||
skb->ip_summed == CHECKSUM_PARTIAL) {
sctph->source = cp->vport;
if (!skb_is_gso(skb) || !skb_is_gso_sctp(skb))
if (!skb_is_gso(skb))
sctp_nat_csum(skb, sctph, sctphoff);
} else {
skb->ip_summed = CHECKSUM_UNNECESSARY;
Expand Down Expand Up @@ -175,7 +175,7 @@ sctp_dnat_handler(struct sk_buff *skb, struct ip_vs_protocol *pp,
(skb->ip_summed == CHECKSUM_PARTIAL &&
!(skb_dst(skb)->dev->features & NETIF_F_SCTP_CRC))) {
sctph->dest = cp->dport;
if (!skb_is_gso(skb) || !skb_is_gso_sctp(skb))
if (!skb_is_gso(skb))
sctp_nat_csum(skb, sctph, sctphoff);
} else if (skb->ip_summed != CHECKSUM_PARTIAL) {
skb->ip_summed = CHECKSUM_UNNECESSARY;
Expand Down
8 changes: 3 additions & 5 deletions net/netfilter/nf_conncount.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -321,7 +321,6 @@ insert_tree(struct net *net,
struct nf_conncount_rb *rbconn;
struct nf_conncount_tuple *conn;
unsigned int count = 0, gc_count = 0;
u8 keylen = data->keylen;
bool do_gc = true;

spin_lock_bh(&nf_conncount_locks[hash]);
Expand All @@ -333,7 +332,7 @@ insert_tree(struct net *net,
rbconn = rb_entry(*rbnode, struct nf_conncount_rb, node);

parent = *rbnode;
diff = key_diff(key, rbconn->key, keylen);
diff = key_diff(key, rbconn->key, data->keylen);
if (diff < 0) {
rbnode = &((*rbnode)->rb_left);
} else if (diff > 0) {
Expand Down Expand Up @@ -378,7 +377,7 @@ insert_tree(struct net *net,

conn->tuple = *tuple;
conn->zone = *zone;
memcpy(rbconn->key, key, sizeof(u32) * keylen);
memcpy(rbconn->key, key, sizeof(u32) * data->keylen);

nf_conncount_list_init(&rbconn->list);
list_add(&conn->node, &rbconn->list.head);
Expand All @@ -403,7 +402,6 @@ count_tree(struct net *net,
struct rb_node *parent;
struct nf_conncount_rb *rbconn;
unsigned int hash;
u8 keylen = data->keylen;

hash = jhash2(key, data->keylen, conncount_rnd) % CONNCOUNT_SLOTS;
root = &data->root[hash];
Expand All @@ -414,7 +412,7 @@ count_tree(struct net *net,

rbconn = rb_entry(parent, struct nf_conncount_rb, node);

diff = key_diff(key, rbconn->key, keylen);
diff = key_diff(key, rbconn->key, data->keylen);
if (diff < 0) {
parent = rcu_dereference_raw(parent->rb_left);
} else if (diff > 0) {
Expand Down
Loading

0 comments on commit 1c5fc27

Please sign in to comment.