[NETFILTER]: Deploy a prefix length to network mask mapping table

[NETFILTER]: Deploy a prefix length to network mask mapping table

[Jan Engelhardt]

Hi,


this is now the proposed memory reduction of xt_conntrack as previously 
mentioned in http://marc.info/?l=netfilter-devel&m=120334779109237&w=2 .

Since xt_conntrack r1 is new, we can still modify it.

===
commit 84622a5c5190ea1bf0a37695961714a04a99a9c0
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date:   Thu Feb 21 16:33:32 2008 +0100

    [NETFILTER]: Deploy a prefix length to network mask mapping table
    
    Userspace utilities commonly transform a prefix length (CIDR notation
    like 192.168.222.1/32) into a full netmask before submitting it to
    the kernel.
    
    The size of struct xt_conntrack_mtinfo1 is currently 152 bytes, of
    which 64 bytes are for masks. By submitting prefix lengths to the
    kernel, we can save 60 bytes (almost 40%) as prefix lengths can fit
    into one uint8_t. Since we do not want to recompute the mask for each
    invocation of the match function, a static translation table will be
    used (net/core/pfxlen.c).
    
    The patch also removes xt_hashlimit's obsolete mask computation.
    
    Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

diff --git a/include/linux/netfilter/xt_conntrack.h b/include/linux/netfilter/xt_conntrack.h
index f3fd83e..d787786 100644
--- a/include/linux/netfilter/xt_conntrack.h
+++ b/include/linux/netfilter/xt_conntrack.h
@@ -68,16 +68,18 @@ struct xt_conntrack_info
 };
 
 struct xt_conntrack_mtinfo1 {
-	union nf_inet_addr origsrc_addr, origsrc_mask;
-	union nf_inet_addr origdst_addr, origdst_mask;
-	union nf_inet_addr replsrc_addr, replsrc_mask;
-	union nf_inet_addr repldst_addr, repldst_mask;
+	union nf_inet_addr origsrc_addr;
+	union nf_inet_addr origdst_addr;
+	union nf_inet_addr replsrc_addr;
+	union nf_inet_addr repldst_addr;
 	u_int32_t expires_min, expires_max;
 	u_int16_t l4proto;
 	__be16 origsrc_port, origdst_port;
 	__be16 replsrc_port, repldst_port;
 	u_int16_t match_flags, invert_flags;
 	u_int8_t state_mask, status_mask;
+	u_int8_t origsrc_pfx, origdst_pfx;
+	u_int8_t replsrc_pfx, repldst_pfx;
 };
 
 #endif /*_XT_CONNTRACK_H*/
diff --git a/include/net/pfxlen.h b/include/net/pfxlen.h
new file mode 100644
index 0000000..203a494
--- /dev/null
+++ b/include/net/pfxlen.h
@@ -0,0 +1,8 @@
+#ifndef _NET_PFXLEN_H
+#define _NET_PFXLEN_H 1
+
+#include <linux/netfilter.h>
+
+extern union nf_inet_addr prefixlen_netmask_map[];
+
+#endif /* _NET_PFXLEN_H */
diff --git a/net/Kconfig b/net/Kconfig
index 6627c6a..ca0237e 100644
--- a/net/Kconfig
+++ b/net/Kconfig
@@ -27,6 +27,12 @@ if NET
 
 menu "Networking options"
 
+config NET_PFXLEN
+	tristate
+	---help---
+	This option adds a translation table from prefix length to
+	expanded netmasks (e.g. /28 => 255.255.255.240)
+
 config NET_NS
 	bool "Network namespace support"
 	default n
diff --git a/net/core/Makefile b/net/core/Makefile
index b1332f6..cc818dd 100644
--- a/net/core/Makefile
+++ b/net/core/Makefile
@@ -16,3 +16,4 @@ obj-$(CONFIG_NET_PKTGEN) += pktgen.o
 obj-$(CONFIG_NETPOLL) += netpoll.o
 obj-$(CONFIG_NET_DMA) += user_dma.o
 obj-$(CONFIG_FIB_RULES) += fib_rules.o
+obj-$(CONFIG_NET_PFXLEN) += pfxlen.o
diff --git a/net/core/pfxlen.c b/net/core/pfxlen.c
new file mode 100644
index 0000000..5667c03
--- /dev/null
+++ b/net/core/pfxlen.c
@@ -0,0 +1,146 @@
+#include <linux/netfilter.h>
+
+#define E(a, b, c, d) \
+	{.ip6 = { \
+		__constant_htonl(a), __constant_htonl(b), \
+		__constant_htonl(c), __constant_htonl(d), \
+	}}
+
+/*
+ * This table works for both IPv4 and IPv6;
+ * just use prefixlen_netmask_map[prefixlength].ip.
+ */
+const union nf_inet_addr prefixlen_netmask_map[] = {
+	E(0x00000000, 0x00000000, 0x00000000, 0x00000000),
+	E(0x80000000, 0x00000000, 0x00000000, 0x00000000),
+	E(0xC0000000, 0x00000000, 0x00000000, 0x00000000),
+	E(0xE0000000, 0x00000000, 0x00000000, 0x00000000),
+	E(0xF0000000, 0x00000000, 0x00000000, 0x00000000),
+	E(0xF8000000, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFC000000, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFE000000, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFF000000, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFF800000, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFFC00000, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFFE00000, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFFF00000, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFFF80000, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFFFC0000, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFFFE0000, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFFFF0000, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFFFF8000, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFFFFC000, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFFFFE000, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFFFFF000, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFFFFF800, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFFFFFC00, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFFFFFE00, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFFFFFF00, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFFFFFF80, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFFFFFFC0, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFFFFFFE0, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFFFFFFF0, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFFFFFFF8, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFFFFFFFC, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFFFFFFFE, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0x80000000, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xC0000000, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xE0000000, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xF0000000, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xF8000000, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFC000000, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFE000000, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFF000000, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFF800000, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFC00000, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFE00000, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFF00000, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFF80000, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFC0000, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFE0000, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFF0000, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFF8000, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFC000, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFE000, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFF000, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFF800, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFC00, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFE00, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFF00, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFF80, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFC0, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFE0, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFF0, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFF8, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFC, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFE, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0x80000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xC0000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xE0000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xF0000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xF8000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFC000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFE000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFF000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFF800000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFC00000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFE00000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFF00000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFF80000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFC0000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFE0000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFF0000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFF8000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFC000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFE000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFF000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFF800, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFC00, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFE00, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFF00, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFF80, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFC0, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFE0, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFF0, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFF8, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFC, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x80000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xC0000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xE0000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xF0000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xF8000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFC000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFE000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFF000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFF800000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFC00000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFE00000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFF00000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFF80000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFC0000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFE0000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFF0000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFF8000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFC000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFE000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFF000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFF800),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFC00),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFE00),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFF00),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFF80),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFC0),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFE0),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFF0),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFF8),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFC),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF),
+};
+EXPORT_SYMBOL(prefixlen_netmask_map);
+
+MODULE_LICENSE("GPL");
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index daf5b88..0bb8c5e 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -27,6 +27,7 @@ config NETFILTER_NETLINK_LOG
 config NF_CONNTRACK
 	tristate "Netfilter connection tracking support"
 	default m if NETFILTER_ADVANCED=n
+	select NET_PFXLEN
 	help
 	  Connection tracking keeps a record of what packets have passed
 	  through your machine, in order to figure out how they are related
diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c
index 0c50b28..30fdf88 100644
--- a/net/netfilter/xt_conntrack.c
+++ b/net/netfilter/xt_conntrack.c
@@ -13,6 +13,7 @@
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <net/ipv6.h>
+#include <net/pfxlen.h>
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter/xt_conntrack.h>
 #include <net/netfilter/nf_conntrack.h>
@@ -136,7 +137,8 @@ conntrack_mt_origsrc(const struct nf_conn *ct,
                      unsigned int family)
 {
 	return conntrack_addrcmp(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3,
-	       &info->origsrc_addr, &info->origsrc_mask, family);
+	       &info->origsrc_addr, &prefixlen_netmask_map[info->origsrc_pfx],
+	       family);
 }
 
 static inline bool
@@ -145,7 +147,8 @@ conntrack_mt_origdst(const struct nf_conn *ct,
                      unsigned int family)
 {
 	return conntrack_addrcmp(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u3,
-	       &info->origdst_addr, &info->origdst_mask, family);
+	       &info->origdst_addr, &prefixlen_netmask_map[info->origdst_pfx],
+	       family);
 }
 
 static inline bool
@@ -154,7 +157,8 @@ conntrack_mt_replsrc(const struct nf_conn *ct,
                      unsigned int family)
 {
 	return conntrack_addrcmp(&ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u3,
-	       &info->replsrc_addr, &info->replsrc_mask, family);
+	       &info->replsrc_addr, &prefixlen_netmask_map[info->replsrc_pfx],
+	       family);
 }
 
 static inline bool
@@ -163,7 +167,8 @@ conntrack_mt_repldst(const struct nf_conn *ct,
                      unsigned int family)
 {
 	return conntrack_addrcmp(&ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3,
-	       &info->repldst_addr, &info->repldst_mask, family);
+	       &info->repldst_addr, &prefixlen_netmask_map[info->repldst_pfx],
+	       family);
 }
 
 static inline bool
@@ -289,6 +294,16 @@ conntrack_mt_check(const char *tablename, const void *ip,
                    const struct xt_match *match, void *matchinfo,
                    unsigned int hook_mask)
 {
+	const struct xt_conntrack_mtinfo1 *info = matchinfo;
+
+	if (match->family == AF_INET && (info->origsrc_pfx > 32 ||
+	    info->origdst_pfx > 32 || info->replsrc_pfx > 32 ||
+	    info->repldst_pfx > 32))
+		return false;
+	if (match->family == AF_INET6 && (info->origsrc_pfx > 128 ||
+	    info->origdst_pfx > 128 || info->replsrc_pfx > 128 ||
+	    info->repldst_pfx > 128))
+		return false;
 	if (nf_ct_l3proto_try_module_get(match->family) < 0) {
 		printk(KERN_WARNING "can't load conntrack support for "
 				    "proto=%u\n", match->family);
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index 744c7f2..de734e5 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -26,6 +26,7 @@
 #endif
 
 #include <net/net_namespace.h>
+#include <net/pfxlen.h>
 
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
@@ -466,43 +467,18 @@ static inline void rateinfo_recalc(struct dsthash_ent *dh, unsigned long now)
 
 static inline __be32 maskl(__be32 a, unsigned int l)
 {
-	return htonl(ntohl(a) & ~(~(u_int32_t)0 >> l));
+	return a & prefixlen_netmask_map[l].ip;
 }
 
 #if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
 static void hashlimit_ipv6_mask(__be32 *i, unsigned int p)
 {
-	switch (p) {
-	case 0:
-		i[0] = i[1] = 0;
-		i[2] = i[3] = 0;
-		break;
-	case 1 ... 31:
-		i[0] = maskl(i[0], p);
-		i[1] = i[2] = i[3] = 0;
-		break;
-	case 32:
-		i[1] = i[2] = i[3] = 0;
-		break;
-	case 33 ... 63:
-		i[1] = maskl(i[1], p - 32);
-		i[2] = i[3] = 0;
-		break;
-	case 64:
-		i[2] = i[3] = 0;
-		break;
-	case 65 ... 95:
-		i[2] = maskl(i[2], p - 64);
-		i[3] = 0;
-	case 96:
-		i[3] = 0;
-		break;
-	case 97 ... 127:
-		i[3] = maskl(i[3], p - 96);
-		break;
-	case 128:
-		break;
-	}
+	const union nf_inet_addr *mask = &prefixlen_netmask_map[p];
+
+	i[0] &= mask->ip6[0];
+	i[1] &= mask->ip6[1];
+	i[2] &= mask->ip6[2];
+	i[3] &= mask->ip6[3];
 }
 #endif
 

Re: [NETFILTER]: Deploy a prefix length to network mask mapping table

[Jan Engelhardt]

On Feb 21 2008 16:38, Jan Engelhardt wrote:
>
>this is now the proposed memory reduction of xt_conntrack as previously 
>mentioned in http://marc.info/?l=netfilter-devel&m=120334779109237&w=2 .
>
>Since xt_conntrack r1 is new, we can still modify it.
>
>===
>commit 84622a5c5190ea1bf0a37695961714a04a99a9c0
>Author: Jan Engelhardt <jengelh@computergmbh.de>
>Date:   Thu Feb 21 16:33:32 2008 +0100
>
>    [NETFILTER]: Deploy a prefix length to network mask mapping table
>    
>    Userspace utilities commonly transform a prefix length (CIDR notation
>    like 192.168.222.1/32) into a full netmask before submitting it to
>    the kernel.
>    
>    The size of struct xt_conntrack_mtinfo1 is currently 152 bytes, of
>    which 64 bytes are for masks. By submitting prefix lengths to the
>    kernel, we can save 60 bytes (almost 40%) as prefix lengths can fit
>    into one uint8_t. Since we do not want to recompute the mask for each
>    invocation of the match function, a static translation table will be
>    used (net/core/pfxlen.c).
>    
>    The patch also removes xt_hashlimit's obsolete mask computation.


Can we merge this while r1 is not yet used by userspace?
If not, that's fine too, will queue it for 2.6.26.

Re: [NETFILTER]: Deploy a prefix length to network mask mapping table

[Pablo Neira Ayuso]

Jan Engelhardt wrote:
> On Feb 21 2008 16:38, Jan Engelhardt wrote:
>> this is now the proposed memory reduction of xt_conntrack as previously 
>> mentioned in http://marc.info/?l=netfilter-devel&m=120334779109237&w=2 .
>>
>> Since xt_conntrack r1 is new, we can still modify it.
>>
>> ===
>> commit 84622a5c5190ea1bf0a37695961714a04a99a9c0
>> Author: Jan Engelhardt <jengelh@computergmbh.de>
>> Date:   Thu Feb 21 16:33:32 2008 +0100
>>
>>    [NETFILTER]: Deploy a prefix length to network mask mapping table
>>    
>>    Userspace utilities commonly transform a prefix length (CIDR notation
>>    like 192.168.222.1/32) into a full netmask before submitting it to
>>    the kernel.
>>    
>>    The size of struct xt_conntrack_mtinfo1 is currently 152 bytes, of
>>    which 64 bytes are for masks. By submitting prefix lengths to the
>>    kernel, we can save 60 bytes (almost 40%) as prefix lengths can fit
>>    into one uint8_t. Since we do not want to recompute the mask for each
>>    invocation of the match function, a static translation table will be
>>    used (net/core/pfxlen.c).
>>    
>>    The patch also removes xt_hashlimit's obsolete mask computation.
> 
> 
> Can we merge this while r1 is not yet used by userspace?
> If not, that's fine too, will queue it for 2.6.26.

Attention, I'm about to release iptables-1.4.1 which includes the
userspace part for this. I can still delay it a couple of days and
rework the release tarball if you pass me the userspace part asap.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

Re: [NETFILTER]: Deploy a prefix length to network mask mapping table

[Jan Engelhardt]

On Mar 3 2008 03:52, Pablo Neira Ayuso wrote:
>Jan Engelhardt wrote:
>> On Feb 21 2008 16:38, Jan Engelhardt wrote:
>>> this is now the proposed memory reduction of xt_conntrack as previously 
>>> mentioned in http://marc.info/?l=netfilter-devel&m=120334779109237&w=2 .
>>>
>>> Since xt_conntrack r1 is new, we can still modify it.
>>>
>>> ===
>>> commit 84622a5c5190ea1bf0a37695961714a04a99a9c0
>>> Author: Jan Engelhardt <jengelh@computergmbh.de>
>>> Date:   Thu Feb 21 16:33:32 2008 +0100
>>>
>>>    [NETFILTER]: Deploy a prefix length to network mask mapping table
>>>    
>>>    Userspace utilities commonly transform a prefix length (CIDR notation
>>>    like 192.168.222.1/32) into a full netmask before submitting it to
>>>    the kernel.
>>>    
>>>    The size of struct xt_conntrack_mtinfo1 is currently 152 bytes, of
>>>    which 64 bytes are for masks. By submitting prefix lengths to the
>>>    kernel, we can save 60 bytes (almost 40%) as prefix lengths can fit
>>>    into one uint8_t. Since we do not want to recompute the mask for each
>>>    invocation of the match function, a static translation table will be
>>>    used (net/core/pfxlen.c).
>>>    
>>>    The patch also removes xt_hashlimit's obsolete mask computation.
>> 
>> 
>> Can we merge this while r1 is not yet used by userspace?
>> If not, that's fine too, will queue it for 2.6.26.
>
>Attention, I'm about to release iptables-1.4.1 which includes the
>userspace part for this. I can still delay it a couple of days and
>rework the release tarball if you pass me the userspace part asap.

commit 55ad85c12405b61b8c3c082888c75d1559a93c1e
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date:   Tue Feb 19 23:47:31 2008 +0100

    Reduce size of struct xt_conntrack_mtinfo1
    
    Reduce size of struct xt_conntrack_mtinfo1 by sending the prefix
    length to kernel-space and let it do a lookup to full IPv6 mask there.
    
    Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c
index d1c0aa0..d459611 100644
--- a/extensions/libxt_conntrack.c
+++ b/extensions/libxt_conntrack.c
@@ -548,63 +548,41 @@ conntrack_mt4_parse(int c, char **argv, int invert, unsigned int *flags,
                     const void *entry, struct xt_entry_match **match)
 {
 	struct xt_conntrack_mtinfo1 *info = (void *)(*match)->data;
-	struct in_addr *addr = NULL;
-	unsigned int naddrs = 0;
+	unsigned int pfx;
 
 	switch (c) {
 	case '3': /* --ctorigsrc */
-		ipparse_hostnetworkmask(optarg, &addr, &info->origsrc_mask.in,
-		                        &naddrs);
-		if (naddrs > 1)
-			exit_error(PARAMETER_PROBLEM,
-			           "multiple IP addresses not allowed");
-		if (naddrs == 1)
-			memcpy(&info->origsrc_addr.in, addr, sizeof(*addr));
+		ipparse_hostnetworkpfx(optarg, &info->origsrc_addr, &pfx);
+		info->origsrc_pfx  = pfx;
 		info->match_flags |= XT_CONNTRACK_ORIGSRC;
 		if (invert)
 			info->invert_flags |= XT_CONNTRACK_ORIGSRC;
 		break;
 
 	case '4': /* --ctorigdst */
-		ipparse_hostnetworkmask(optarg, &addr, &info->origdst_mask.in,
-		                        &naddrs);
-		if (naddrs > 1)
-			exit_error(PARAMETER_PROBLEM,
-			           "multiple IP addresses not allowed");
-		if (naddrs == 1)
-			memcpy(&info->origdst_addr.in, addr, sizeof(*addr));
+		ipparse_hostnetworkpfx(optarg, &info->origdst_addr, &pfx);
+		info->origdst_pfx  = pfx;
 		info->match_flags |= XT_CONNTRACK_ORIGDST;
 		if (invert)
 			info->invert_flags |= XT_CONNTRACK_ORIGDST;
 		break;
 
 	case '5': /* --ctreplsrc */
-		ipparse_hostnetworkmask(optarg, &addr, &info->replsrc_mask.in,
-		                        &naddrs);
-		if (naddrs > 1)
-			exit_error(PARAMETER_PROBLEM,
-			           "multiple IP addresses not allowed");
-		if (naddrs == 1)
-			memcpy(&info->replsrc_addr.in, addr, sizeof(*addr));
+		ipparse_hostnetworkpfx(optarg, &info->replsrc_addr, &pfx);
+		info->replsrc_pfx  = pfx;
 		info->match_flags |= XT_CONNTRACK_REPLSRC;
 		if (invert)
 			info->invert_flags |= XT_CONNTRACK_REPLSRC;
 		break;
 
 	case '6': /* --ctrepldst */
-		ipparse_hostnetworkmask(optarg, &addr, &info->repldst_mask.in,
-		                        &naddrs);
-		if (naddrs > 1)
-			exit_error(PARAMETER_PROBLEM,
-			           "multiple IP addresses not allowed");
-		if (naddrs == 1)
-			memcpy(&info->repldst_addr.in, addr, sizeof(*addr));
+		ipparse_hostnetworkpfx(optarg, &info->repldst_addr, &pfx);
+		info->repldst_pfx  = pfx;
 		info->match_flags |= XT_CONNTRACK_REPLDST;
 		if (invert)
 			info->invert_flags |= XT_CONNTRACK_REPLDST;
 		break;
 
-
 	default:
 		return conntrack_mt_parse(c, argv, invert, flags, match);
 	}
@@ -618,63 +596,41 @@ conntrack_mt6_parse(int c, char **argv, int invert, unsigned int *flags,
                     const void *entry, struct xt_entry_match **match)
 {
 	struct xt_conntrack_mtinfo1 *info = (void *)(*match)->data;
-	struct in6_addr *addr = NULL;
-	unsigned int naddrs = 0;
+	unsigned int pfx;
 
 	switch (c) {
 	case '3': /* --ctorigsrc */
-		ip6parse_hostnetworkmask(optarg, &addr,
-		                         &info->origsrc_mask.in6, &naddrs);
-		if (naddrs > 1)
-			exit_error(PARAMETER_PROBLEM,
-			           "multiple IP addresses not allowed");
-		if (naddrs == 1)
-			memcpy(&info->origsrc_addr.in6, addr, sizeof(*addr));
+		ip6parse_hostnetworkpfx(optarg, &info->origsrc_addr, &pfx);
+		info->origsrc_pfx  = pfx;
 		info->match_flags |= XT_CONNTRACK_ORIGSRC;
 		if (invert)
 			info->invert_flags |= XT_CONNTRACK_ORIGSRC;
 		break;
 
 	case '4': /* --ctorigdst */
-		ip6parse_hostnetworkmask(optarg, &addr,
-		                         &info->origdst_mask.in6, &naddrs);
-		if (naddrs > 1)
-			exit_error(PARAMETER_PROBLEM,
-			           "multiple IP addresses not allowed");
-		if (naddrs == 1)
-			memcpy(&info->origdst_addr.in, addr, sizeof(*addr));
+		ip6parse_hostnetworkpfx(optarg, &info->origdst_addr, &pfx);
+		info->origdst_pfx  = pfx;
 		info->match_flags |= XT_CONNTRACK_ORIGDST;
 		if (invert)
 			info->invert_flags |= XT_CONNTRACK_ORIGDST;
 		break;
 
 	case '5': /* --ctreplsrc */
-		ip6parse_hostnetworkmask(optarg, &addr,
-		                         &info->replsrc_mask.in6, &naddrs);
-		if (naddrs > 1)
-			exit_error(PARAMETER_PROBLEM,
-			           "multiple IP addresses not allowed");
-		if (naddrs == 1)
-			memcpy(&info->replsrc_addr.in, addr, sizeof(*addr));
+		ip6parse_hostnetworkpfx(optarg, &info->replsrc_addr, &pfx);
+		info->replsrc_pfx  = pfx;
 		info->match_flags |= XT_CONNTRACK_REPLSRC;
 		if (invert)
 			info->invert_flags |= XT_CONNTRACK_REPLSRC;
 		break;
 
 	case '6': /* --ctrepldst */
-		ip6parse_hostnetworkmask(optarg, &addr,
-		                         &info->repldst_mask.in6, &naddrs);
-		if (naddrs > 1)
-			exit_error(PARAMETER_PROBLEM,
-			           "multiple IP addresses not allowed");
-		if (naddrs == 1)
-			memcpy(&info->repldst_addr.in, addr, sizeof(*addr));
+		ip6parse_hostnetworkpfx(optarg, &info->repldst_addr, &pfx);
+		info->repldst_pfx  = pfx;
 		info->match_flags |= XT_CONNTRACK_REPLDST;
 		if (invert)
 			info->invert_flags |= XT_CONNTRACK_REPLDST;
 		break;
 
-
 	default:
 		return conntrack_mt_parse(c, argv, invert, flags, match);
 	}
@@ -753,23 +709,26 @@ print_status(unsigned int statusmask)
 }
 
 static void
-conntrack_dump_addr(const union nf_inet_addr *addr,
-                    const union nf_inet_addr *mask,
+conntrack_dump_addr(const union nf_inet_addr *addr, unsigned int prefix,
                     unsigned int family, bool numeric)
 {
 	if (family == AF_INET) {
-		if (!numeric && addr->ip == 0) {
+		if (numeric)
+			printf("%s/%u ", ipaddr_to_numeric(&addr->in), prefix);
+		else if (addr->ip == 0)
 			printf("anywhere ");
-			return;
-		}
-		printf("%s ", ipaddr_to_anyname(&addr->in));
+		else
+			printf("%s/%u ", ipaddr_to_anyname(&addr->in), prefix);
 	} else if (family == AF_INET6) {
-		if (!numeric && addr->ip6[0] == 0 && addr->ip6[1] == 0 &&
-		    addr->ip6[2] == 0 && addr->ip6[3] == 0) {
+		if (numeric)
+			printf("%s/%u ", ip6addr_to_numeric(&addr->in6),
+			       prefix);
+		else if ((addr->ip6[0] | addr->ip6[1] | addr->ip6[2] |
+		    addr->ip6[3]) == 0)
 			printf("anywhere ");
-			return;
-		}
-		printf("%s ", ip6addr_to_anyname(&addr->in6));
+		else
+			printf("%s/%u ", ip6addr_to_anyname(&addr->in6),
+			       prefix);
 	}
 }
 
@@ -901,7 +860,7 @@ conntrack_dump(const struct xt_conntrack_mtinfo1 *info, const char *prefix,
 		if (info->invert_flags & XT_CONNTRACK_PROTO)
 			printf("! ");
 		printf("%sctorigsrc ", prefix);
-		conntrack_dump_addr(&info->origsrc_addr, &info->origsrc_mask,
+		conntrack_dump_addr(&info->origsrc_addr, info->origsrc_pfx,
 		                    family, numeric);
 	}
 
@@ -909,7 +868,7 @@ conntrack_dump(const struct xt_conntrack_mtinfo1 *info, const char *prefix,
 		if (info->invert_flags & XT_CONNTRACK_PROTO)
 			printf("! ");
 		printf("%sctorigdst ", prefix);
-		conntrack_dump_addr(&info->origdst_addr, &info->origdst_mask,
+		conntrack_dump_addr(&info->origdst_addr, info->origdst_pfx,
 		                    family, numeric);
 	}
 
@@ -917,7 +876,7 @@ conntrack_dump(const struct xt_conntrack_mtinfo1 *info, const char *prefix,
 		if (info->invert_flags & XT_CONNTRACK_PROTO)
 			printf("! ");
 		printf("%sctreplsrc ", prefix);
-		conntrack_dump_addr(&info->replsrc_addr, &info->replsrc_mask,
+		conntrack_dump_addr(&info->replsrc_addr, info->replsrc_pfx,
 		                    family, numeric);
 	}
 
@@ -925,7 +884,7 @@ conntrack_dump(const struct xt_conntrack_mtinfo1 *info, const char *prefix,
 		if (info->invert_flags & XT_CONNTRACK_PROTO)
 			printf("! ");
 		printf("%sctrepldst ", prefix);
-		conntrack_dump_addr(&info->repldst_addr, &info->repldst_mask,
+		conntrack_dump_addr(&info->repldst_addr, info->repldst_pfx,
 		                    family, numeric);
 	}
 
diff --git a/include/linux/netfilter/xt_conntrack.h b/include/linux/netfilter/xt_conntrack.h
index 9e35ccd..d787786 100644
--- a/include/linux/netfilter/xt_conntrack.h
+++ b/include/linux/netfilter/xt_conntrack.h
@@ -68,16 +68,18 @@ struct xt_conntrack_info
 };
 
 struct xt_conntrack_mtinfo1 {
-	union nf_inet_addr origsrc_addr, origsrc_mask;
-	union nf_inet_addr origdst_addr, origdst_mask;
-	union nf_inet_addr replsrc_addr, replsrc_mask;
-	union nf_inet_addr repldst_addr, repldst_mask;
+	union nf_inet_addr origsrc_addr;
+	union nf_inet_addr origdst_addr;
+	union nf_inet_addr replsrc_addr;
+	union nf_inet_addr repldst_addr;
 	u_int32_t expires_min, expires_max;
 	u_int16_t l4proto;
-	u_int16_t origsrc_port, origdst_port;
-	u_int16_t replsrc_port, repldst_port;
+	__be16 origsrc_port, origdst_port;
+	__be16 replsrc_port, repldst_port;
 	u_int16_t match_flags, invert_flags;
 	u_int8_t state_mask, status_mask;
+	u_int8_t origsrc_pfx, origdst_pfx;
+	u_int8_t replsrc_pfx, repldst_pfx;
 };
 
 #endif /*_XT_CONNTRACK_H*/
diff --git a/include/xtables.h b/include/xtables.h
index 484e436..7a25b59 100644
--- a/include/xtables.h
+++ b/include/xtables.h
@@ -171,6 +171,8 @@ struct xtables_target
 #endif
 };
 
+union nf_inet_addr;
+
 extern char *lib_dir;
 
 extern void *fw_calloc(size_t count, size_t size);
@@ -241,6 +243,8 @@ extern const char *ipaddr_to_anyname(const struct in_addr *);
 extern const char *ipmask_to_numeric(const struct in_addr *);
 extern struct in_addr *numeric_to_ipaddr(const char *);
 extern struct in_addr *numeric_to_ipmask(const char *);
+extern void ipparse_hostnetworkpfx(const char *, union nf_inet_addr *,
+	unsigned int *);
 extern void ipparse_hostnetworkmask(const char *, struct in_addr **,
 	struct in_addr *, unsigned int *);
 
@@ -248,6 +252,8 @@ extern struct in6_addr *numeric_to_ip6addr(const char *);
 extern const char *ip6addr_to_numeric(const struct in6_addr *);
 extern const char *ip6addr_to_anyname(const struct in6_addr *);
 extern const char *ip6mask_to_numeric(const struct in6_addr *);
+extern void ip6parse_hostnetworkpfx(const char *, union nf_inet_addr *,
+	unsigned int *);
 extern void ip6parse_hostnetworkmask(const char *, struct in6_addr **,
 	struct in6_addr *, unsigned int *);
 
diff --git a/xtables.c b/xtables.c
index af4d3dc..4a9bedd 100644
--- a/xtables.c
+++ b/xtables.c
@@ -32,6 +32,7 @@
 #include <arpa/inet.h>
 
 #include <xtables.h>
+#include <linux/netfilter.h>
 
 #ifndef NO_SHARED_LIBS
 #include <dlfcn.h>
@@ -909,6 +910,36 @@ static struct in_addr *parse_ipmask(const char *mask)
 	return &maskaddr;
 }
 
+void ipparse_hostnetworkpfx(const char *name, union nf_inet_addr *addrp,
+                            unsigned int *maskp)
+{
+	unsigned int naddrs = 0;
+	struct in_addr *res;
+	char buf[256], *p;
+
+	strncpy(buf, name, sizeof(buf) - 1);
+	if ((p = strchr(buf, '/')) != NULL) {
+		*p = '\0';
+		if (!strtonum(p + 1, NULL, maskp, 0, 32))
+			exit_error(PARAMETER_PROBLEM, "Invalid mask");
+	} else {
+		*maskp = 32;
+	}
+
+	/* if a null mask is given, the name is ignored, like in "any/0" */
+	if (*maskp == 0)
+		strcpy(buf, "0.0.0.0");
+
+	res = ipparse_hostnetwork(buf, &naddrs);
+	if (naddrs == 0)
+		exit_error(PARAMETER_PROBLEM, "%s did not resolve to an address", name);
+	if (naddrs > 1)
+		exit_error(PARAMETER_PROBLEM, "%s resolved to more than one address", name);
+
+	memcpy(&addrp->in, res, sizeof(struct in_addr));
+	free(res);
+}
+
 void ipparse_hostnetworkmask(const char *name, struct in_addr **addrpp,
                              struct in_addr *maskp, unsigned int *naddrs)
 {
@@ -1133,6 +1164,36 @@ static struct in6_addr *parse_ip6mask(char *mask)
 	return &maskaddr;
 }
 
+void ip6parse_hostnetworkpfx(const char *name, union nf_inet_addr *addrp,
+                             unsigned int *maskp)
+{
+	unsigned int naddrs = 0;
+	struct in6_addr *res;
+	char buf[256], *p;
+
+	strncpy(buf, name, sizeof(buf) - 1);
+	if ((p = strchr(buf, '/')) != NULL) {
+		*p = '\0';
+		if (!strtonum(p + 1, NULL, maskp, 0, 128))
+			exit_error(PARAMETER_PROBLEM, "Invalid mask");
+	} else {
+		*maskp = 128;
+	}
+
+	/* if a null mask is given, the name is ignored, like in "any/0" */
+	if (*maskp == 0)
+		strcpy(buf, "::");
+
+	res = ip6parse_hostnetwork(buf, &naddrs);
+	if (naddrs == 0)
+		exit_error(PARAMETER_PROBLEM, "%s did not resolve to an address", name);
+	if (naddrs > 1)
+		exit_error(PARAMETER_PROBLEM, "%s resolved to more than one address", name);
+
+	memcpy(&addrp->in6, res, sizeof(struct in6_addr));
+	free(res);
+}
+
 void ip6parse_hostnetworkmask(const char *name, struct in6_addr **addrpp,
                               struct in6_addr *maskp, unsigned int *naddrs)
 {

Re: tarball target

[Jan Engelhardt]

On Mar 3 2008 12:34, Jan Engelhardt wrote:
>>
>>Attention, I'm about to release iptables-1.4.1 which includes the
>>userspace part for this. I can still delay it a couple of days and
>>rework the release tarball if you pass me the userspace part asap.

(Hmm... releases always seem to be at the wrong time)

Another thing you will need is:

commit b381f81cca8c1a49c318fde97a2ef69054055995
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date:   Mon Mar 3 13:04:07 2008 +0100

    Makefile: add a "tarball" target

diff --git a/Makefile.am b/Makefile.am
index a0f33c6..7c3f131 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -93,3 +93,11 @@ ip6tables.8: ${srcdir}/ip6tables.8.in extensions/matches6.man extensions/targets
 
 extensions/%:
 	${MAKE} ${AM_MAKEFLAGS} -C $(@D) $(@F)
+
+.PHONY: tarball
+tarball:
+	rm -Rf /tmp/xtables;
+	pushd ${top_srcdir} && git-archive --prefix=xtables/ HEAD | tar -C /tmp -x && popd;
+	pushd /tmp/xtables && ./autogen.sh && popd;
+	tar -C /tmp -cf xtables-${PACKAGE_VERSION}.tar.bz2 xtables/;
+	rm -Rf /tmp/xtables;

Re: xt_conntrack r1; deploy a prefix length to network mask mapping table

[Jan Engelhardt]

On Feb 29 2008 19:47, Jan Engelhardt wrote:
>>===
>>commit 84622a5c5190ea1bf0a37695961714a04a99a9c0
>>Author: Jan Engelhardt <jengelh@computergmbh.de>
>>Date:   Thu Feb 21 16:33:32 2008 +0100
>>
>>    [NETFILTER]: Deploy a prefix length to network mask mapping table
>>    
>>    Userspace utilities commonly transform a prefix length (CIDR notation
>>    like 192.168.222.1/32) into a full netmask before submitting it to
>>    the kernel.
>>    
>>    The size of struct xt_conntrack_mtinfo1 is currently 152 bytes, of
>>    which 64 bytes are for masks. By submitting prefix lengths to the
>>    kernel, we can save 60 bytes (almost 40%) as prefix lengths can fit
>>    into one uint8_t. Since we do not want to recompute the mask for each
>>    invocation of the match function, a static translation table will be
>>    used (net/core/pfxlen.c).
>>    
>>    The patch also removes xt_hashlimit's obsolete mask computation.
>
>Can we merge this while r1 is not yet used by userspace?
>If not, that's fine too, will queue it for 2.6.26.
>

I have not yet heard back. If this fails to make it into 2.6.25, then I 
suggest disabling revision 1 support before the next iptables release 
(replacing .family=AF_INET/AF_INET6 with AF_UNSPEC for simplicity) so 
that iptables continues to use rev 0 on 2.6.25.

Following this, .revision=1 can just be exchanged by .revision=2 in both 
2.6.26 and iptables without problems. This way, no new extra code is 
introduced while keeping all the backwards niceties.



thanks,
Jan