From: Patrick McHardy <kaber@trash.net>
To: davem@davemloft.net
Cc: Patrick McHardy <kaber@trash.net>, netfilter-devel@vger.kernel.org
Subject: [NETFILTER 04/49]: x_tables: struct xt_table_info diet
Date: Tue, 4 Dec 2007 13:02:01 +0100 (MET) [thread overview]
Message-ID: <20071204120200.2442.89438.sendpatchset@localhost.localdomain> (raw)
In-Reply-To: <20071204120154.2442.91626.sendpatchset@localhost.localdomain>
[NETFILTER]: x_tables: struct xt_table_info diet
Instead of using a big array of NR_CPUS entries, we can compute the size
needed at runtime, using nr_cpu_ids
This should save some ram (especially on David's machines where NR_CPUS=4096 :
32 KB can be saved per table, and 64KB for dynamically allocated ones (because
of slab/slub alignements) )
In particular, the 'bootstrap' tables are not any more static (in data
section) but on stack as their size is now very small.
This also should reduce the size used on stack in compat functions
(get_info() declares an automatic variable, that could be bigger than kernel
stack size for big NR_CPUS)
Signed-off-by: Eric Dumazet <dada1@cosmosbay.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit e648b28460f8bcbdb6293ce66b99735efa31a1ee
tree d0e9de24d3746bbcb1b6bdd39a5f21c6cfd5b609
parent 15b20d2de585dd83c73067783150c667d1229259
author Eric Dumazet <dada1@cosmosbay.com> Tue, 04 Dec 2007 10:46:56 +0100
committer Patrick McHardy <kaber@trash.net> Tue, 04 Dec 2007 10:46:56 +0100
include/linux/netfilter/x_tables.h | 5 ++++-
net/ipv4/netfilter/arp_tables.c | 5 ++---
net/ipv4/netfilter/ip_tables.c | 24 +++++++++---------------
net/ipv6/netfilter/ip6_tables.c | 5 ++---
net/netfilter/x_tables.c | 2 +-
5 files changed, 18 insertions(+), 23 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 9657c4e..e305f2d 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -269,9 +269,12 @@ struct xt_table_info
unsigned int underflow[NF_INET_NUMHOOKS];
/* ipt_entry tables: one per CPU */
- char *entries[NR_CPUS];
+ /* Note : this field MUST be the last one, see XT_TABLE_INFO_SZ */
+ char *entries[1];
};
+#define XT_TABLE_INFO_SZ (offsetof(struct xt_table_info, entries) \
+ + nr_cpu_ids * sizeof(char *))
extern int xt_register_target(struct xt_target *target);
extern void xt_unregister_target(struct xt_target *target);
extern int xt_register_targets(struct xt_target *target, unsigned int n);
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 2909c92..a21722d 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -811,8 +811,7 @@ static int do_replace(void __user *user, unsigned int len)
return -ENOPROTOOPT;
/* overflow check */
- if (tmp.size >= (INT_MAX - sizeof(struct xt_table_info)) / NR_CPUS -
- SMP_CACHE_BYTES)
+ if (tmp.size >= INT_MAX / num_possible_cpus())
return -ENOMEM;
if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
return -ENOMEM;
@@ -1090,7 +1089,7 @@ int arpt_register_table(struct arpt_table *table,
{
int ret;
struct xt_table_info *newinfo;
- static struct xt_table_info bootstrap
+ struct xt_table_info bootstrap
= { 0, 0, 0, { 0 }, { 0 }, { } };
void *loc_cpu_entry;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index a99fe89..4200fde 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1090,7 +1090,8 @@ compat_calc_match(struct ipt_entry_match *m, int * size)
return 0;
}
-static int compat_calc_entry(struct ipt_entry *e, struct xt_table_info *info,
+static int compat_calc_entry(struct ipt_entry *e,
+ const struct xt_table_info *info,
void *base, struct xt_table_info *newinfo)
{
struct ipt_entry_target *t;
@@ -1118,22 +1119,17 @@ static int compat_calc_entry(struct ipt_entry *e, struct xt_table_info *info,
return 0;
}
-static int compat_table_info(struct xt_table_info *info,
+static int compat_table_info(const struct xt_table_info *info,
struct xt_table_info *newinfo)
{
void *loc_cpu_entry;
- int i;
if (!newinfo || !info)
return -EINVAL;
- memset(newinfo, 0, sizeof(struct xt_table_info));
- newinfo->size = info->size;
- newinfo->number = info->number;
- for (i = 0; i < NF_INET_NUMHOOKS; i++) {
- newinfo->hook_entry[i] = info->hook_entry[i];
- newinfo->underflow[i] = info->underflow[i];
- }
+ /* we dont care about newinfo->entries[] */
+ memcpy(newinfo, info, offsetof(struct xt_table_info, entries));
+ newinfo->initial_entries = 0;
loc_cpu_entry = info->entries[raw_smp_processor_id()];
return IPT_ENTRY_ITERATE(loc_cpu_entry, info->size,
compat_calc_entry, info, loc_cpu_entry, newinfo);
@@ -1327,8 +1323,7 @@ do_replace(void __user *user, unsigned int len)
return -ENOPROTOOPT;
/* overflow check */
- if (tmp.size >= (INT_MAX - sizeof(struct xt_table_info)) / NR_CPUS -
- SMP_CACHE_BYTES)
+ if (tmp.size >= INT_MAX / num_possible_cpus())
return -ENOMEM;
if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
return -ENOMEM;
@@ -1861,8 +1856,7 @@ compat_do_replace(void __user *user, unsigned int len)
return -ENOPROTOOPT;
/* overflow check */
- if (tmp.size >= (INT_MAX - sizeof(struct xt_table_info)) / NR_CPUS -
- SMP_CACHE_BYTES)
+ if (tmp.size >= INT_MAX / num_possible_cpus())
return -ENOMEM;
if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
return -ENOMEM;
@@ -2159,7 +2153,7 @@ int ipt_register_table(struct xt_table *table, const struct ipt_replace *repl)
{
int ret;
struct xt_table_info *newinfo;
- static struct xt_table_info bootstrap
+ struct xt_table_info bootstrap
= { 0, 0, 0, { 0 }, { 0 }, { } };
void *loc_cpu_entry;
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index e1e87ef..e60c1b4 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1042,8 +1042,7 @@ do_replace(void __user *user, unsigned int len)
return -EFAULT;
/* overflow check */
- if (tmp.size >= (INT_MAX - sizeof(struct xt_table_info)) / NR_CPUS -
- SMP_CACHE_BYTES)
+ if (tmp.size >= INT_MAX / num_possible_cpus())
return -ENOMEM;
if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
return -ENOMEM;
@@ -1339,7 +1338,7 @@ int ip6t_register_table(struct xt_table *table,
{
int ret;
struct xt_table_info *newinfo;
- static struct xt_table_info bootstrap
+ struct xt_table_info bootstrap
= { 0, 0, 0, { 0 }, { 0 }, { } };
void *loc_cpu_entry;
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index d9a3bde..862b27d 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -495,7 +495,7 @@ struct xt_table_info *xt_alloc_table_info(unsigned int size)
if ((SMP_ALIGN(size) >> PAGE_SHIFT) + 2 > num_physpages)
return NULL;
- newinfo = kzalloc(sizeof(struct xt_table_info), GFP_KERNEL);
+ newinfo = kzalloc(XT_TABLE_INFO_SZ, GFP_KERNEL);
if (!newinfo)
return NULL;
next prev parent reply other threads:[~2007-12-04 12:02 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-12-04 12:01 [NETFILTER 00/49]: Netfilter update Patrick McHardy
2007-12-04 12:01 ` [NETFILTER 01/49]: x_tables: add TCPOPTSTRIP target Patrick McHardy
2007-12-04 12:01 ` [NETFILTER 02/49]: replace list_for_each with list_for_each_entry Patrick McHardy
2007-12-04 12:02 ` Patrick McHardy [this message]
2007-12-04 12:02 ` [NETFILTER 05/49]: x_tables: remove obsolete overflow check Patrick McHardy
2007-12-04 12:02 ` [NETFILTER 06/49]: merge ipt_owner/ip6t_owner in xt_owner Patrick McHardy
2007-12-04 12:02 ` [IPV4 07/49]: Add inet_dev_addr_type() Patrick McHardy
2007-12-04 12:02 ` [NETFILTER 08/49]: ipt_addrtype: limit address type checking to an interface Patrick McHardy
2007-12-04 12:02 ` [NETFILTER 09/49]: Use lowercase names for matches in Kconfig Patrick McHardy
2007-12-04 12:02 ` [NET 10/49]: Constify include/net/dsfield.h Patrick McHardy
2007-12-04 12:02 ` [NETFILTER 11/49]: Merge ipt_tos into xt_dscp Patrick McHardy
2007-12-04 12:02 ` [NETFILTER 12/49]: Merge ipt_TOS into xt_DSCP Patrick McHardy
2007-12-04 12:02 ` [NETFILTER 13/49]: IPv6 capable xt_tos v1 match Patrick McHardy
2007-12-04 12:02 ` [NETFILTER 14/49]: IPv6 capable xt_TOS v1 target Patrick McHardy
2007-12-04 12:02 ` [NETFILTER 15/49]: ip_tables: remove obsolete SAME target Patrick McHardy
2007-12-04 12:02 ` [NETFILTER 16/49]: x_tables: add RATEEST target Patrick McHardy
2007-12-04 12:02 ` [NETFILTER 17/49]: x_tables: add rateest match Patrick McHardy
2007-12-04 12:02 ` [NETFILTER 18/49]: {ip,ip6}t_LOG: log GID Patrick McHardy
2007-12-04 12:02 ` [NETFILTER 19/49]: xt_hashlimit: remove ip6tables module dependency Patrick McHardy
2007-12-04 12:02 ` [NETFILTER 20/49]: nf_ct_h323: remove ipv6 " Patrick McHardy
2007-12-04 12:02 ` [NETFILTER 21/49]: nf_conntrack_proto_icmp: kill extern declaration in .c file Patrick McHardy
2007-12-04 12:02 ` [NETFILTER 22/49]: Use nf_register_hooks for multiple registrations Patrick McHardy
2007-12-04 12:02 ` [NETFILTER 23/49]: Mark hooks __read_mostly Patrick McHardy
2007-12-04 12:02 ` [NETFILTER 24/49]: nf_queue: minor cleanup Patrick McHardy
2007-12-04 12:02 ` [NETFILTER 25/49]: nf_queue: remove unnecessary hook existance check Patrick McHardy
2007-12-04 12:02 ` [NETFILTER 26/49]: nf_queue: make queue_handler const Patrick McHardy
2007-12-04 12:02 ` [NETFILTER 27/49]: nf_queue: remove unused data pointer Patrick McHardy
2007-12-04 12:02 ` [NETFILTER 28/49]: nf_queue: move queueing related functions/struct to seperate header Patrick McHardy
2007-12-04 12:02 ` [NETFILTER 29/49]: {nf_netlink,ip,ip6}_queue: use list_for_each_entry Patrick McHardy
2007-12-04 12:02 ` [NETFILTER 30/49]: nfnetlink_queue: deobfuscate entry lookups Patrick McHardy
2007-12-04 12:02 ` [NETFILTER 31/49]: ip_queue: " Patrick McHardy
2007-12-04 12:02 ` [NETFILTER 32/49]: ip6_queue: " Patrick McHardy
2007-12-04 12:02 ` [NETFILTER 33/49]: ip6_queue: resync dev-index based flushing Patrick McHardy
2007-12-04 12:02 ` [NETFILTER 34/49]: nf_queue: move list_head/skb/id to struct nf_info Patrick McHardy
2007-12-04 12:02 ` [NETFILTER 35/49]: {nfnetlink,ip,ip6}_queue: kill issue_verdict Patrick McHardy
2007-12-04 12:02 ` [NETFILTER 36/49]: nf_queue: clean up error paths Patrick McHardy
2007-12-04 12:02 ` [NETFILTER 37/49]: remove annoying debugging message Patrick McHardy
2007-12-04 12:02 ` [NETFILTER 38/49]: nfnetlink_queue: avoid unnecessary atomic operation Patrick McHardy
2007-12-04 12:02 ` [NETFILTER 39/49]: nfnetlink_queue: fix checks in nfqnl_recv_config Patrick McHardy
2007-12-04 12:02 ` [NETFILTER 40/49]: nfnetlink: use RCU for queue instances hash Patrick McHardy
2007-12-04 12:02 ` [NETFILTER 41/49]: nfnetlink_queue: kill useless wrapper Patrick McHardy
2007-12-04 12:02 ` [NETFILTER 42/49]: nfnetlink_queue: remove useless debugging Patrick McHardy
2007-12-04 12:02 ` [NETFILTER 43/49]: nfnetlink_queue: mark hash table __read_mostly Patrick McHardy
2007-12-04 12:02 ` [NETFILTER 44/49]: nfnetlink_queue: use endianness-aware attribute functions Patrick McHardy
2007-12-04 12:02 ` [NETFILTER 45/49]: nfnetlink_queue: eliminate impossible switch case Patrick McHardy
2007-12-04 12:03 ` [NETFILTER 46/49]: nfnetlink_queue: remove useless enqueue status codes Patrick McHardy
2007-12-04 12:03 ` [NETFILTER 47/49]: nfnetlink_queue: update copyright Patrick McHardy
2007-12-04 12:03 ` [NETFILTER 48/49]: remove NF_CONNTRACK_ENABLED option Patrick McHardy
2007-12-04 12:03 ` [NETFILTER 49/49]: Select CONFIG_NETFILTER_NETLINK when needed Patrick McHardy
2007-12-05 9:35 ` [NETFILTER 00/49]: Netfilter update David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20071204120200.2442.89438.sendpatchset@localhost.localdomain \
--to=kaber@trash.net \
--cc=davem@davemloft.net \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.