Commit 1c5fc27b authored by David S. Miller's avatar David S. Miller
Browse files

Merge tag 'nf-next-24-06-28' of... 

Merge tag 'nf-next-24-06-28' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next

 into main

Pablo Neira Ayuso says:

====================
Netfilter/IPVS updates for net-next

The following patchset contains Netfilter/IPVS updates for net-next:

Patch #1 to #11 to shrink memory consumption for transaction objects:

  struct nft_trans_chain { /* size: 120 (-32), cachelines: 2, members: 10 */
  struct nft_trans_elem { /* size: 72 (-40), cachelines: 2, members: 4 */
  struct nft_trans_flowtable { /* size: 80 (-48), cachelines: 2, members: 5 */
  struct nft_trans_obj { /* size: 72 (-40), cachelines: 2, members: 4 */
  struct nft_trans_rule { /* size: 80 (-32), cachelines: 2, members: 6 */
  struct nft_trans_set { /* size: 96 (-24), cachelines: 2, members: 8 */
  struct nft_trans_table { /* size: 56 (-40), cachelines: 1, members: 2 */

  struct nft_trans_elem can now be allocated from kmalloc-96 instead of
  kmalloc-128 slab.

  Series from Florian Westphal. For the record, I have mangled patch #1
  to add nft_trans_container_*() and use if for every transaction object.
   I have also added BUILD_BUG_ON to ensure struct nft_trans always comes
  at the beginning of the container transaction object. And few minor
  cleanups, any new bugs are of my own.

Patch #12 simplify check for SCTP GSO in IPVS, from Ismael Luceno.

Patch #13 nf_conncount key length remains in the u32 bound, from Yunjian Wang.

Patch #14 removes unnecessary check for CTA_TIMEOUT_L3PROTO when setting
          default conntrack timeouts via nfnetlink_cttimeout API, from
          Lin Ma.

Patch #15 updates NFT_SECMARK_CTX_MAXLEN to 4096, SELinux could use
          larger secctx names than the existing 256 bytes length.

Patch #16 adds a selftest to exercise nfnetlink_queue listeners leaving
          nfnetlink_queue, from Florian Westphal.

Patch #17 increases hitcount from 255 to 65535 in xt_recent, from Phil Sutter.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents a051091c f4ebd034

include/net/netfilter/nf_tables.h

+146 −76
Original line number Diff line number Diff line
@@ -1176,7 +1176,7 @@ static inline bool nft_chain_is_bound(struct nft_chain *chain) 


int nft_chain_add(struct nft_table *table, struct nft_chain *chain);

void nft_chain_del(struct nft_chain *chain);

void nf_tables_chain_destroy(struct nft_ctx *ctx);

void nf_tables_chain_destroy(struct nft_chain *chain);



struct nft_stats {

	u64			bytes;
@@ -1616,38 +1616,64 @@ static inline int nft_set_elem_is_dead(const struct nft_set_ext *ext) 
 * struct nft_trans - nf_tables object update in transaction

 *

 * @list: used internally

 *	@binding_list: list of objects with possible bindings

 * @net: struct net

 * @table: struct nft_table the object resides in

 * @msg_type: message type

 *	@put_net: ctx->net needs to be put

 *	@ctx: transaction context

 *	@data: internal information related to the transaction

 * @seq: netlink sequence number

 * @flags: modifiers to new request

 * @report: notify via unicast netlink message

 * @put_net: net needs to be put

 *

 * This is the information common to all objects in the transaction,

 * this must always be the first member of derived sub-types.

 */

struct nft_trans {

	struct list_head		list;

	struct list_head		binding_list;

	struct net			*net;

	struct nft_table		*table;

	int				msg_type;

	bool				put_net;

	struct nft_ctx			ctx;

	char				data[];

	u32				seq;

	u16				flags;

	u8				report:1;

	u8				put_net:1;

};



/**

 * struct nft_trans_binding - nf_tables object with binding support in transaction

 * @nft_trans:    base structure, MUST be first member

 * @binding_list: list of objects with possible bindings

 *

 * This is the base type used by objects that can be bound to a chain.

 */

struct nft_trans_binding {

	struct nft_trans nft_trans;

	struct list_head binding_list;

};



struct nft_trans_rule {

	struct nft_trans		nft_trans;

	struct nft_rule			*rule;

	struct nft_chain		*chain;

	struct nft_flow_rule		*flow;

	u32				rule_id;

	bool				bound;

};



#define nft_trans_container_rule(trans)			\

	container_of(trans, struct nft_trans_rule, nft_trans)

#define nft_trans_rule(trans)				\

	(((struct nft_trans_rule *)trans->data)->rule)

	nft_trans_container_rule(trans)->rule

#define nft_trans_flow_rule(trans)			\

	(((struct nft_trans_rule *)trans->data)->flow)

	nft_trans_container_rule(trans)->flow

#define nft_trans_rule_id(trans)			\

	(((struct nft_trans_rule *)trans->data)->rule_id)

	nft_trans_container_rule(trans)->rule_id

#define nft_trans_rule_bound(trans)			\

	(((struct nft_trans_rule *)trans->data)->bound)

	nft_trans_container_rule(trans)->bound

#define nft_trans_rule_chain(trans)	\

	nft_trans_container_rule(trans)->chain



struct nft_trans_set {

	struct nft_trans_binding	nft_trans_binding;

	struct nft_set			*set;

	u32				set_id;

	u32				gc_int;
@@ -1657,100 +1683,117 @@ struct nft_trans_set { 
	u32				size;

};



#define nft_trans_container_set(t)	\

	container_of(t, struct nft_trans_set, nft_trans_binding.nft_trans)

#define nft_trans_set(trans)				\

	(((struct nft_trans_set *)trans->data)->set)

	nft_trans_container_set(trans)->set

#define nft_trans_set_id(trans)				\

	(((struct nft_trans_set *)trans->data)->set_id)

	nft_trans_container_set(trans)->set_id

#define nft_trans_set_bound(trans)			\

	(((struct nft_trans_set *)trans->data)->bound)

	nft_trans_container_set(trans)->bound

#define nft_trans_set_update(trans)			\

	(((struct nft_trans_set *)trans->data)->update)

	nft_trans_container_set(trans)->update

#define nft_trans_set_timeout(trans)			\

	(((struct nft_trans_set *)trans->data)->timeout)

	nft_trans_container_set(trans)->timeout

#define nft_trans_set_gc_int(trans)			\

	(((struct nft_trans_set *)trans->data)->gc_int)

	nft_trans_container_set(trans)->gc_int

#define nft_trans_set_size(trans)			\

	(((struct nft_trans_set *)trans->data)->size)

	nft_trans_container_set(trans)->size



struct nft_trans_chain {

	struct nft_trans_binding	nft_trans_binding;

	struct nft_chain		*chain;

	bool				update;

	char				*name;

	struct nft_stats __percpu	*stats;

	u8				policy;

	bool				update;

	bool				bound;

	u32				chain_id;

	struct nft_base_chain		*basechain;

	struct list_head		hook_list;

};



#define nft_trans_container_chain(t)	\

	container_of(t, struct nft_trans_chain, nft_trans_binding.nft_trans)

#define nft_trans_chain(trans)				\

	(((struct nft_trans_chain *)trans->data)->chain)

	nft_trans_container_chain(trans)->chain

#define nft_trans_chain_update(trans)			\

	(((struct nft_trans_chain *)trans->data)->update)

	nft_trans_container_chain(trans)->update

#define nft_trans_chain_name(trans)			\

	(((struct nft_trans_chain *)trans->data)->name)

	nft_trans_container_chain(trans)->name

#define nft_trans_chain_stats(trans)			\

	(((struct nft_trans_chain *)trans->data)->stats)

	nft_trans_container_chain(trans)->stats

#define nft_trans_chain_policy(trans)			\

	(((struct nft_trans_chain *)trans->data)->policy)

	nft_trans_container_chain(trans)->policy

#define nft_trans_chain_bound(trans)			\

	(((struct nft_trans_chain *)trans->data)->bound)

	nft_trans_container_chain(trans)->bound

#define nft_trans_chain_id(trans)			\

	(((struct nft_trans_chain *)trans->data)->chain_id)

	nft_trans_container_chain(trans)->chain_id

#define nft_trans_basechain(trans)			\

	(((struct nft_trans_chain *)trans->data)->basechain)

	nft_trans_container_chain(trans)->basechain

#define nft_trans_chain_hooks(trans)			\

	(((struct nft_trans_chain *)trans->data)->hook_list)

	nft_trans_container_chain(trans)->hook_list



struct nft_trans_table {

	struct nft_trans		nft_trans;

	bool				update;

};



#define nft_trans_container_table(trans)		\

	container_of(trans, struct nft_trans_table, nft_trans)

#define nft_trans_table_update(trans)			\

	(((struct nft_trans_table *)trans->data)->update)

	nft_trans_container_table(trans)->update



struct nft_trans_elem {

	struct nft_trans		nft_trans;

	struct nft_set			*set;

	struct nft_elem_priv		*elem_priv;

	bool				bound;

};



#define nft_trans_container_elem(t)			\

	container_of(t, struct nft_trans_elem, nft_trans)

#define nft_trans_elem_set(trans)			\

	(((struct nft_trans_elem *)trans->data)->set)

	nft_trans_container_elem(trans)->set

#define nft_trans_elem_priv(trans)			\

	(((struct nft_trans_elem *)trans->data)->elem_priv)

	nft_trans_container_elem(trans)->elem_priv

#define nft_trans_elem_set_bound(trans)			\

	(((struct nft_trans_elem *)trans->data)->bound)

	nft_trans_container_elem(trans)->bound



struct nft_trans_obj {

	struct nft_trans		nft_trans;

	struct nft_object		*obj;

	struct nft_object		*newobj;

	bool				update;

};



#define nft_trans_container_obj(t)			\

	container_of(t, struct nft_trans_obj, nft_trans)

#define nft_trans_obj(trans)				\

	(((struct nft_trans_obj *)trans->data)->obj)

	nft_trans_container_obj(trans)->obj

#define nft_trans_obj_newobj(trans)			\

	(((struct nft_trans_obj *)trans->data)->newobj)

	nft_trans_container_obj(trans)->newobj

#define nft_trans_obj_update(trans)			\

	(((struct nft_trans_obj *)trans->data)->update)

	nft_trans_container_obj(trans)->update



struct nft_trans_flowtable {

	struct nft_trans		nft_trans;

	struct nft_flowtable		*flowtable;

	bool				update;

	struct list_head		hook_list;

	u32				flags;

	bool				update;

};



#define nft_trans_container_flowtable(t)		\

	container_of(t, struct nft_trans_flowtable, nft_trans)

#define nft_trans_flowtable(trans)			\

	(((struct nft_trans_flowtable *)trans->data)->flowtable)

	nft_trans_container_flowtable(trans)->flowtable

#define nft_trans_flowtable_update(trans)		\

	(((struct nft_trans_flowtable *)trans->data)->update)

	nft_trans_container_flowtable(trans)->update

#define nft_trans_flowtable_hooks(trans)		\

	(((struct nft_trans_flowtable *)trans->data)->hook_list)

	nft_trans_container_flowtable(trans)->hook_list

#define nft_trans_flowtable_flags(trans)		\

	(((struct nft_trans_flowtable *)trans->data)->flags)

	nft_trans_container_flowtable(trans)->flags



#define NFT_TRANS_GC_BATCHCOUNT	256
@@ -1764,6 +1807,33 @@ struct nft_trans_gc { 
	struct rcu_head		rcu;

};



static inline void nft_ctx_update(struct nft_ctx *ctx,

				  const struct nft_trans *trans)

{

	switch (trans->msg_type) {

	case NFT_MSG_NEWRULE:

	case NFT_MSG_DELRULE:

	case NFT_MSG_DESTROYRULE:

		ctx->chain = nft_trans_rule_chain(trans);

		break;

	case NFT_MSG_NEWCHAIN:

	case NFT_MSG_DELCHAIN:

	case NFT_MSG_DESTROYCHAIN:

		ctx->chain = nft_trans_chain(trans);

		break;

	default:

		ctx->chain = NULL;

		break;

	}



	ctx->net = trans->net;

	ctx->table = trans->table;

	ctx->family = trans->table->family;

	ctx->report = trans->report;

	ctx->flags = trans->flags;

	ctx->seq = trans->seq;

}



struct nft_trans_gc *nft_trans_gc_alloc(struct nft_set *set,

					unsigned int gc_seq, gfp_t gfp);

void nft_trans_gc_destroy(struct nft_trans_gc *trans);

include/uapi/linux/netfilter/nf_tables.h

+1 −1
Original line number Diff line number Diff line
@@ -1376,7 +1376,7 @@ enum nft_secmark_attributes { 
#define NFTA_SECMARK_MAX	(__NFTA_SECMARK_MAX - 1)



/* Max security context length */

#define NFT_SECMARK_CTX_MAXLEN		256

#define NFT_SECMARK_CTX_MAXLEN		4096



/**

 * enum nft_reject_types - nf_tables reject expression reject types

net/netfilter/ipvs/ip_vs_proto_sctp.c

+2 −2
Original line number Diff line number Diff line
@@ -126,7 +126,7 @@ sctp_snat_handler(struct sk_buff *skb, struct ip_vs_protocol *pp, 
	if (sctph->source != cp->vport || payload_csum ||

	    skb->ip_summed == CHECKSUM_PARTIAL) {

		sctph->source = cp->vport;

		if (!skb_is_gso(skb) || !skb_is_gso_sctp(skb))

		if (!skb_is_gso(skb))

			sctp_nat_csum(skb, sctph, sctphoff);

	} else {

		skb->ip_summed = CHECKSUM_UNNECESSARY;
@@ -175,7 +175,7 @@ sctp_dnat_handler(struct sk_buff *skb, struct ip_vs_protocol *pp, 
	    (skb->ip_summed == CHECKSUM_PARTIAL &&

	     !(skb_dst(skb)->dev->features & NETIF_F_SCTP_CRC))) {

		sctph->dest = cp->dport;

		if (!skb_is_gso(skb) || !skb_is_gso_sctp(skb))

		if (!skb_is_gso(skb))

			sctp_nat_csum(skb, sctph, sctphoff);

	} else if (skb->ip_summed != CHECKSUM_PARTIAL) {

		skb->ip_summed = CHECKSUM_UNNECESSARY;

net/netfilter/nf_conncount.c

+3 −5
Original line number Diff line number Diff line
@@ -321,7 +321,6 @@ insert_tree(struct net *net, 
	struct nf_conncount_rb *rbconn;

	struct nf_conncount_tuple *conn;

	unsigned int count = 0, gc_count = 0;

	u8 keylen = data->keylen;

	bool do_gc = true;



	spin_lock_bh(&nf_conncount_locks[hash]);
@@ -333,7 +332,7 @@ insert_tree(struct net *net, 
		rbconn = rb_entry(*rbnode, struct nf_conncount_rb, node);



		parent = *rbnode;

		diff = key_diff(key, rbconn->key, keylen);

		diff = key_diff(key, rbconn->key, data->keylen);

		if (diff < 0) {

			rbnode = &((*rbnode)->rb_left);

		} else if (diff > 0) {
@@ -378,7 +377,7 @@ insert_tree(struct net *net, 


	conn->tuple = *tuple;

	conn->zone = *zone;

	memcpy(rbconn->key, key, sizeof(u32) * keylen);

	memcpy(rbconn->key, key, sizeof(u32) * data->keylen);



	nf_conncount_list_init(&rbconn->list);

	list_add(&conn->node, &rbconn->list.head);
@@ -403,7 +402,6 @@ count_tree(struct net *net, 
	struct rb_node *parent;

	struct nf_conncount_rb *rbconn;

	unsigned int hash;

	u8 keylen = data->keylen;



	hash = jhash2(key, data->keylen, conncount_rnd) % CONNCOUNT_SLOTS;

	root = &data->root[hash];
@@ -414,7 +412,7 @@ count_tree(struct net *net, 


		rbconn = rb_entry(parent, struct nf_conncount_rb, node);



		diff = key_diff(key, rbconn->key, keylen);

		diff = key_diff(key, rbconn->key, data->keylen);

		if (diff < 0) {

			parent = rcu_dereference_raw(parent->rb_left);

		} else if (diff > 0) {

net/netfilter/nf_tables_api.c

+244 −167

File changed.

Preview size limit exceeded, changes collapsed.