[PATCH nf-next 0/2] netfilter: reduce size of hook entry points

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH nf-next 0/2] netfilter: reduce size of hook entry points
@ 2017-12-02 23:58 Florian Westphal
  2017-12-02 23:58 ` [PATCH nf-next 1/2] netfilter: reduce size of hook entry point locations Florian Westphal
                   ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: Florian Westphal @ 2017-12-02 23:58 UTC (permalink / raw)
  To: netfilter-devel

struct net contains:

struct nf_hook_entries __rcu *hooks[NFPROTO_NUMPROTO][NF_MAX_HOOKS];

where NFPROTO_NUMPROTO = 13 and NF_MAX_HOOKS = 8.

... and that needs a *lot* more space than what we really need.
We only need hooks for arp, bridge, ipv4, ipv6 and decnet.

Arp only has 3 hook types, decnet has 7, all others have 5.
So replace this with dedicated arrays of the correct size to save
some space.

Changes since RFC:
 - bridge only needs 5, not 6 hooks (BROUTE isn't a real hookpoint)
 - Use run-time check to reject register requests for hook types that
   don't fit the array size.
   RFC tried to use BUILD_BUG_ON checks in nf_hook(), but that breaks build
   on some older gcc releases.

 include/linux/netfilter.h       |   30 ++++++++++++++++++--
 include/net/netns/netfilter.h   |   15 +++++++++-
 net/bridge/br_netfilter_hooks.c |    2 -
 net/netfilter/core.c            |   60 ++++++++++++++++++++++++++++++++++------
 net/netfilter/nf_queue.c        |   21 ++++++++++++--
 5 files changed, 114 insertions(+), 14 deletions(-)

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH nf-next 1/2] netfilter: reduce size of hook entry point locations
  2017-12-02 23:58 [PATCH nf-next 0/2] netfilter: reduce size of hook entry points Florian Westphal
@ 2017-12-02 23:58 ` Florian Westphal
  2017-12-02 23:58 ` [PATCH nf-next 2/2] netfilter: reduce hook array sizes to what is needed Florian Westphal
  2017-12-06  8:20 ` [PATCH nf-next 0/2] netfilter: reduce size of hook entry points Pablo Neira Ayuso
  2 siblings, 0 replies; 5+ messages in thread
From: Florian Westphal @ 2017-12-02 23:58 UTC (permalink / raw)
  To: netfilter-devel; +Cc: Florian Westphal

struct net contains:

struct nf_hook_entries __rcu *hooks[NFPROTO_NUMPROTO][NF_MAX_HOOKS];

which store the hook entry point locations for the various protocol
families and the hooks.

Using array results in compact c code when doing accesses, i.e.
  x = rcu_dereference(net->nf.hooks[pf][hook]);

but its also wasting a lot of memory, as most families are
not used.

So split the array into those families that are used, which
are only 5 (instead of 13).  In most cases, the 'pf' argument is
constant, i.e. gcc removes switch statement.

struct net before:
 /* size: 5184, cachelines: 81, members: 46 */
after:
 /* size: 4672, cachelines: 73, members: 46 */

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 include/linux/netfilter.h       | 24 ++++++++++++++++++++++--
 include/net/netns/netfilter.h   |  6 +++++-
 net/bridge/br_netfilter_hooks.c |  2 +-
 net/netfilter/core.c            | 38 ++++++++++++++++++++++++++++++--------
 net/netfilter/nf_queue.c        | 21 +++++++++++++++++++--
 5 files changed, 77 insertions(+), 14 deletions(-)

diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index b24e9b101651..80aa9a0b3d10 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -184,7 +184,7 @@ static inline int nf_hook(u_int8_t pf, unsigned int hook, struct net *net,
 			  struct net_device *indev, struct net_device *outdev,
 			  int (*okfn)(struct net *, struct sock *, struct sk_buff *))
 {
-	struct nf_hook_entries *hook_head;
+	struct nf_hook_entries *hook_head = NULL;
 	int ret = 1;
 
 #ifdef HAVE_JUMP_LABEL
@@ -195,7 +195,27 @@ static inline int nf_hook(u_int8_t pf, unsigned int hook, struct net *net,
 #endif
 
 	rcu_read_lock();
-	hook_head = rcu_dereference(net->nf.hooks[pf][hook]);
+	switch (pf) {
+	case NFPROTO_IPV4:
+		hook_head = rcu_dereference(net->nf.hooks_ipv4[hook]);
+		break;
+	case NFPROTO_IPV6:
+		hook_head = rcu_dereference(net->nf.hooks_ipv6[hook]);
+		break;
+	case NFPROTO_ARP:
+		hook_head = rcu_dereference(net->nf.hooks_arp[hook]);
+		break;
+	case NFPROTO_BRIDGE:
+		hook_head = rcu_dereference(net->nf.hooks_bridge[hook]);
+		break;
+	case NFPROTO_DECNET:
+		hook_head = rcu_dereference(net->nf.hooks_decnet[hook]);
+		break;
+	default:
+		WARN_ON_ONCE(1);
+		break;
+	}
+
 	if (hook_head) {
 		struct nf_hook_state state;
 
diff --git a/include/net/netns/netfilter.h b/include/net/netns/netfilter.h
index cc00af2ac2d7..b39c563c2fce 100644
--- a/include/net/netns/netfilter.h
+++ b/include/net/netns/netfilter.h
@@ -17,7 +17,11 @@ struct netns_nf {
 #ifdef CONFIG_SYSCTL
 	struct ctl_table_header *nf_log_dir_header;
 #endif
-	struct nf_hook_entries __rcu *hooks[NFPROTO_NUMPROTO][NF_MAX_HOOKS];
+	struct nf_hook_entries __rcu *hooks_ipv4[NF_MAX_HOOKS];
+	struct nf_hook_entries __rcu *hooks_ipv6[NF_MAX_HOOKS];
+	struct nf_hook_entries __rcu *hooks_arp[NF_MAX_HOOKS];
+	struct nf_hook_entries __rcu *hooks_bridge[NF_MAX_HOOKS];
+	struct nf_hook_entries __rcu *hooks_decnet[NF_MAX_HOOKS];
 #if IS_ENABLED(CONFIG_NF_DEFRAG_IPV4)
 	bool			defrag_ipv4;
 #endif
diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
index c2eea1b8737a..27f1d4f2114a 100644
--- a/net/bridge/br_netfilter_hooks.c
+++ b/net/bridge/br_netfilter_hooks.c
@@ -991,7 +991,7 @@ int br_nf_hook_thresh(unsigned int hook, struct net *net,
 	unsigned int i;
 	int ret;
 
-	e = rcu_dereference(net->nf.hooks[NFPROTO_BRIDGE][hook]);
+	e = rcu_dereference(net->nf.hooks_bridge[hook]);
 	if (!e)
 		return okfn(net, sk, skb);
 
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 52cd2901a097..1de3579056ec 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -239,8 +239,23 @@ static void *__nf_hook_entries_try_shrink(struct nf_hook_entries __rcu **pp)
 
 static struct nf_hook_entries __rcu **nf_hook_entry_head(struct net *net, const struct nf_hook_ops *reg)
 {
-	if (reg->pf != NFPROTO_NETDEV)
-		return net->nf.hooks[reg->pf]+reg->hooknum;
+	switch (reg->pf) {
+	case NFPROTO_NETDEV:
+		break;
+	case NFPROTO_ARP:
+		return net->nf.hooks_arp + reg->hooknum;
+	case NFPROTO_BRIDGE:
+		return net->nf.hooks_bridge + reg->hooknum;
+	case NFPROTO_IPV4:
+		return net->nf.hooks_ipv4 + reg->hooknum;
+	case NFPROTO_IPV6:
+		return net->nf.hooks_ipv6 + reg->hooknum;
+	case NFPROTO_DECNET:
+		return net->nf.hooks_decnet + reg->hooknum;
+	default:
+		WARN_ON_ONCE(1);
+		return NULL;
+	}
 
 #ifdef CONFIG_NETFILTER_INGRESS
 	if (reg->hooknum == NF_NETDEV_INGRESS) {
@@ -569,14 +584,21 @@ void (*nf_nat_decode_session_hook)(struct sk_buff *, struct flowi *);
 EXPORT_SYMBOL(nf_nat_decode_session_hook);
 #endif
 
-static int __net_init netfilter_net_init(struct net *net)
+static void __net_init __netfilter_net_init(struct nf_hook_entries *e[NF_MAX_HOOKS])
 {
-	int i, h;
+	int h;
 
-	for (i = 0; i < ARRAY_SIZE(net->nf.hooks); i++) {
-		for (h = 0; h < NF_MAX_HOOKS; h++)
-			RCU_INIT_POINTER(net->nf.hooks[i][h], NULL);
-	}
+	for (h = 0; h < NF_MAX_HOOKS; h++)
+		RCU_INIT_POINTER(e[h], NULL);
+}
+
+static int __net_init netfilter_net_init(struct net *net)
+{
+	__netfilter_net_init(net->nf.hooks_ipv4);
+	__netfilter_net_init(net->nf.hooks_ipv6);
+	__netfilter_net_init(net->nf.hooks_arp);
+	__netfilter_net_init(net->nf.hooks_bridge);
+	__netfilter_net_init(net->nf.hooks_decnet);
 
 #ifdef CONFIG_PROC_FS
 	net->nf.proc_netfilter = proc_net_mkdir(net, "netfilter",
diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c
index f7e21953b1de..5f7766a04533 100644
--- a/net/netfilter/nf_queue.c
+++ b/net/netfilter/nf_queue.c
@@ -204,6 +204,23 @@ static unsigned int nf_iterate(struct sk_buff *skb,
 	return NF_ACCEPT;
 }
 
+static struct nf_hook_entries *nf_hook_entries_head(const struct net *net, u8 pf, u8 hooknum)
+{
+	switch (pf) {
+	case NFPROTO_BRIDGE:
+		return rcu_dereference(net->nf.hooks_bridge[hooknum]);
+	case NFPROTO_IPV4:
+		return rcu_dereference(net->nf.hooks_ipv4[hooknum]);
+	case NFPROTO_IPV6:
+		return rcu_dereference(net->nf.hooks_ipv6[hooknum]);
+	default:
+		WARN_ON_ONCE(1);
+		return NULL;
+	}
+
+	return NULL;
+}
+
 /* Caller must hold rcu read-side lock */
 void nf_reinject(struct nf_queue_entry *entry, unsigned int verdict)
 {
@@ -219,12 +236,12 @@ void nf_reinject(struct nf_queue_entry *entry, unsigned int verdict)
 	net = entry->state.net;
 	pf = entry->state.pf;
 
-	hooks = rcu_dereference(net->nf.hooks[pf][entry->state.hook]);
+	hooks = nf_hook_entries_head(net, pf, entry->state.hook);
 
 	nf_queue_entry_release_refs(entry);
 
 	i = entry->hook_index;
-	if (WARN_ON_ONCE(i >= hooks->num_hook_entries)) {
+	if (WARN_ON_ONCE(!hooks || i >= hooks->num_hook_entries)) {
 		kfree_skb(skb);
 		kfree(entry);
 		return;
-- 
2.13.6


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [PATCH nf-next 2/2] netfilter: reduce hook array sizes to what is needed
  2017-12-02 23:58 [PATCH nf-next 0/2] netfilter: reduce size of hook entry points Florian Westphal
  2017-12-02 23:58 ` [PATCH nf-next 1/2] netfilter: reduce size of hook entry point locations Florian Westphal
@ 2017-12-02 23:58 ` Florian Westphal
  2017-12-06 18:14   ` Pablo Neira Ayuso
  2017-12-06  8:20 ` [PATCH nf-next 0/2] netfilter: reduce size of hook entry points Pablo Neira Ayuso
  2 siblings, 1 reply; 5+ messages in thread
From: Florian Westphal @ 2017-12-02 23:58 UTC (permalink / raw)
  To: netfilter-devel; +Cc: Florian Westphal

Not all families share the same hook count.

Can't use the corresponding ARP, BRIDGE, DECNET defines because they are
defined in uapi headers and including them causes build failures.

struct net before:
/* size: 6592, cachelines: 103, members: 46 */
after:
/* size: 5952, cachelines: 93, members: 46 */

Also, no need to define hook points if the family isn't supported.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 include/linux/netfilter.h     |  6 ++++++
 include/net/netns/netfilter.h | 19 ++++++++++++++-----
 net/netfilter/core.c          | 22 ++++++++++++++++++++++
 3 files changed, 42 insertions(+), 5 deletions(-)

diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index 80aa9a0b3d10..30a0d12a1f6d 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -202,15 +202,21 @@ static inline int nf_hook(u_int8_t pf, unsigned int hook, struct net *net,
 	case NFPROTO_IPV6:
 		hook_head = rcu_dereference(net->nf.hooks_ipv6[hook]);
 		break;
+#if IS_ENABLED(CONFIG_IP_NF_ARPTABLES)
 	case NFPROTO_ARP:
 		hook_head = rcu_dereference(net->nf.hooks_arp[hook]);
 		break;
+#endif
+#if IS_ENABLED(CONFIG_NF_TABLES_BRIDGE)
 	case NFPROTO_BRIDGE:
 		hook_head = rcu_dereference(net->nf.hooks_bridge[hook]);
 		break;
+#endif
+#if IS_ENABLED(CONFIG_DECNET)
 	case NFPROTO_DECNET:
 		hook_head = rcu_dereference(net->nf.hooks_decnet[hook]);
 		break;
+#endif
 	default:
 		WARN_ON_ONCE(1);
 		break;
diff --git a/include/net/netns/netfilter.h b/include/net/netns/netfilter.h
index b39c563c2fce..2ede7bc4ecaa 100644
--- a/include/net/netns/netfilter.h
+++ b/include/net/netns/netfilter.h
@@ -17,11 +17,20 @@ struct netns_nf {
 #ifdef CONFIG_SYSCTL
 	struct ctl_table_header *nf_log_dir_header;
 #endif
-	struct nf_hook_entries __rcu *hooks_ipv4[NF_MAX_HOOKS];
-	struct nf_hook_entries __rcu *hooks_ipv6[NF_MAX_HOOKS];
-	struct nf_hook_entries __rcu *hooks_arp[NF_MAX_HOOKS];
-	struct nf_hook_entries __rcu *hooks_bridge[NF_MAX_HOOKS];
-	struct nf_hook_entries __rcu *hooks_decnet[NF_MAX_HOOKS];
+	struct nf_hook_entries __rcu *hooks_ipv4[NF_INET_NUMHOOKS];
+	struct nf_hook_entries __rcu *hooks_ipv6[NF_INET_NUMHOOKS];
+#if IS_ENABLED(CONFIG_IP_NF_ARPTABLES)
+	/* in/out/forward only */
+	struct nf_hook_entries __rcu *hooks_arp[3];
+#endif
+#if IS_ENABLED(CONFIG_NF_TABLES_BRIDGE)
+	/* note: 'BROUTE' isn't a real hook (called via function pointer) */
+	struct nf_hook_entries __rcu *hooks_bridge[NF_INET_NUMHOOKS];
+#endif
+#if IS_ENABLED(CONFIG_DECNET)
+	/* also supports a 'HELLO' and 'ROUTE' type */
+	struct nf_hook_entries __rcu *hooks_decnet[NF_INET_NUMHOOKS + 2];
+#endif
 #if IS_ENABLED(CONFIG_NF_DEFRAG_IPV4)
 	bool			defrag_ipv4;
 #endif
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 1de3579056ec..5cb2a36ce4e1 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -242,16 +242,32 @@ static struct nf_hook_entries __rcu **nf_hook_entry_head(struct net *net, const
 	switch (reg->pf) {
 	case NFPROTO_NETDEV:
 		break;
+#if IS_ENABLED(CONFIG_IP_NF_ARPTABLES)
 	case NFPROTO_ARP:
+		if (WARN_ON_ONCE(ARRAY_SIZE(net->nf.hooks_arp) <= reg->hooknum))
+			return NULL;
 		return net->nf.hooks_arp + reg->hooknum;
+#endif
+#if IS_ENABLED(CONFIG_NF_TABLES_BRIDGE)
 	case NFPROTO_BRIDGE:
+		if (WARN_ON_ONCE(ARRAY_SIZE(net->nf.hooks_bridge) <= reg->hooknum))
+			return NULL;
 		return net->nf.hooks_bridge + reg->hooknum;
+#endif
 	case NFPROTO_IPV4:
+		if (WARN_ON_ONCE(ARRAY_SIZE(net->nf.hooks_ipv4) <= reg->hooknum))
+			return NULL;
 		return net->nf.hooks_ipv4 + reg->hooknum;
 	case NFPROTO_IPV6:
+		if (WARN_ON_ONCE(ARRAY_SIZE(net->nf.hooks_ipv6) <= reg->hooknum))
+			return NULL;
 		return net->nf.hooks_ipv6 + reg->hooknum;
+#if IS_ENABLED(CONFIG_DECNET)
 	case NFPROTO_DECNET:
+		if (WARN_ON_ONCE(ARRAY_SIZE(net->nf.hooks_decnet) <= reg->hooknum))
+			return NULL;
 		return net->nf.hooks_decnet + reg->hooknum;
+#endif
 	default:
 		WARN_ON_ONCE(1);
 		return NULL;
@@ -596,9 +612,15 @@ static int __net_init netfilter_net_init(struct net *net)
 {
 	__netfilter_net_init(net->nf.hooks_ipv4);
 	__netfilter_net_init(net->nf.hooks_ipv6);
+#if IS_ENABLED(CONFIG_IP_NF_ARPTABLES)
 	__netfilter_net_init(net->nf.hooks_arp);
+#endif
+#if IS_ENABLED(CONFIG_NF_TABLES_BRIDGE)
 	__netfilter_net_init(net->nf.hooks_bridge);
+#endif
+#if IS_ENABLED(CONFIG_DECNET)
 	__netfilter_net_init(net->nf.hooks_decnet);
+#endif
 
 #ifdef CONFIG_PROC_FS
 	net->nf.proc_netfilter = proc_net_mkdir(net, "netfilter",
-- 
2.13.6


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH nf-next 2/2] netfilter: reduce hook array sizes to what is needed
  2017-12-02 23:58 ` [PATCH nf-next 2/2] netfilter: reduce hook array sizes to what is needed Florian Westphal
@ 2017-12-06 18:14   ` Pablo Neira Ayuso
  0 siblings, 0 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2017-12-06 18:14 UTC (permalink / raw)
  To: Florian Westphal; +Cc: netfilter-devel

On Sun, Dec 03, 2017 at 12:58:48AM +0100, Florian Westphal wrote:
> Not all families share the same hook count.
> 
> Can't use the corresponding ARP, BRIDGE, DECNET defines because they are
> defined in uapi headers and including them causes build failures.
> 
> struct net before:
> /* size: 6592, cachelines: 103, members: 46 */
> after:
> /* size: 5952, cachelines: 93, members: 46 */
> 
> Also, no need to define hook points if the family isn't supported.
> 
> Signed-off-by: Florian Westphal <fw@strlen.de>
> ---
>  include/linux/netfilter.h     |  6 ++++++
>  include/net/netns/netfilter.h | 19 ++++++++++++++-----
>  net/netfilter/core.c          | 22 ++++++++++++++++++++++
>  3 files changed, 42 insertions(+), 5 deletions(-)
> 
> diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
> index 80aa9a0b3d10..30a0d12a1f6d 100644
> --- a/include/linux/netfilter.h
> +++ b/include/linux/netfilter.h
> @@ -202,15 +202,21 @@ static inline int nf_hook(u_int8_t pf, unsigned int hook, struct net *net,
>  	case NFPROTO_IPV6:
>  		hook_head = rcu_dereference(net->nf.hooks_ipv6[hook]);
>  		break;
> +#if IS_ENABLED(CONFIG_IP_NF_ARPTABLES)

There'a also nftables here that can use the NFPROTO_ARP family.

>  	case NFPROTO_ARP:
>  		hook_head = rcu_dereference(net->nf.hooks_arp[hook]);
>  		break;
> +#endif
> +#if IS_ENABLED(CONFIG_NF_TABLES_BRIDGE)

Same here with ebtables?

>  	case NFPROTO_BRIDGE:
>  		hook_head = rcu_dereference(net->nf.hooks_bridge[hook]);
>  		break;
> +#endif

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH nf-next 0/2] netfilter: reduce size of hook entry points
  2017-12-02 23:58 [PATCH nf-next 0/2] netfilter: reduce size of hook entry points Florian Westphal
  2017-12-02 23:58 ` [PATCH nf-next 1/2] netfilter: reduce size of hook entry point locations Florian Westphal
  2017-12-02 23:58 ` [PATCH nf-next 2/2] netfilter: reduce hook array sizes to what is needed Florian Westphal
@ 2017-12-06  8:20 ` Pablo Neira Ayuso
  2 siblings, 0 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2017-12-06  8:20 UTC (permalink / raw)
  To: Florian Westphal; +Cc: netfilter-devel

On Sun, Dec 03, 2017 at 12:58:46AM +0100, Florian Westphal wrote:
> struct net contains:
> 
> struct nf_hook_entries __rcu *hooks[NFPROTO_NUMPROTO][NF_MAX_HOOKS];
> 
> where NFPROTO_NUMPROTO = 13 and NF_MAX_HOOKS = 8.
> 
> ... and that needs a *lot* more space than what we really need.
> We only need hooks for arp, bridge, ipv4, ipv6 and decnet.
> 
> Arp only has 3 hook types, decnet has 7, all others have 5.
> So replace this with dedicated arrays of the correct size to save
> some space.

Also applied, thanks.

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2017-12-06 18:14 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-12-02 23:58 [PATCH nf-next 0/2] netfilter: reduce size of hook entry points Florian Westphal
2017-12-02 23:58 ` [PATCH nf-next 1/2] netfilter: reduce size of hook entry point locations Florian Westphal
2017-12-02 23:58 ` [PATCH nf-next 2/2] netfilter: reduce hook array sizes to what is needed Florian Westphal
2017-12-06 18:14   ` Pablo Neira Ayuso
2017-12-06  8:20 ` [PATCH nf-next 0/2] netfilter: reduce size of hook entry points Pablo Neira Ayuso

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.