From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org
Subject: [PATCH 18/28] netfilter: nf_queue: place bridge physports into queue_entry struct
Date: Mon, 30 Mar 2020 21:21:26 +0200 [thread overview]
Message-ID: <20200330192136.230459-19-pablo@netfilter.org> (raw)
In-Reply-To: <20200330192136.230459-1-pablo@netfilter.org>
From: Florian Westphal <fw@strlen.de>
The refcount is done via entry->skb, which does work fine.
Major problem: When putting the refcount of the bridge ports, we
must always put the references while the skb is still around.
However, we will need to put the references after okfn() to avoid
a possible 1 -> 0 -> 1 refcount transition, so we cannot use the
skb pointer anymore.
Place the physports in the queue entry structure instead to allow
for refcounting changes in the next patch.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/net/netfilter/nf_queue.h | 5 +++-
net/netfilter/nf_queue.c | 53 +++++++++++++++++-----------------------
2 files changed, 27 insertions(+), 31 deletions(-)
diff --git a/include/net/netfilter/nf_queue.h b/include/net/netfilter/nf_queue.h
index cdbd98730852..e770bba00066 100644
--- a/include/net/netfilter/nf_queue.h
+++ b/include/net/netfilter/nf_queue.h
@@ -14,7 +14,10 @@ struct nf_queue_entry {
struct sk_buff *skb;
unsigned int id;
unsigned int hook_index; /* index in hook_entries->hook[] */
-
+#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
+ struct net_device *physin;
+ struct net_device *physout;
+#endif
struct nf_hook_state state;
u16 size; /* sizeof(entry) + saved route keys */
diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c
index 4da5776a9904..96eb72908467 100644
--- a/net/netfilter/nf_queue.c
+++ b/net/netfilter/nf_queue.c
@@ -46,24 +46,6 @@ void nf_unregister_queue_handler(struct net *net)
}
EXPORT_SYMBOL(nf_unregister_queue_handler);
-static void nf_queue_entry_release_br_nf_refs(struct sk_buff *skb)
-{
-#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
- struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
-
- if (nf_bridge) {
- struct net_device *physdev;
-
- physdev = nf_bridge_get_physindev(skb);
- if (physdev)
- dev_put(physdev);
- physdev = nf_bridge_get_physoutdev(skb);
- if (physdev)
- dev_put(physdev);
- }
-#endif
-}
-
static void nf_queue_entry_release_refs(struct nf_queue_entry *entry)
{
struct nf_hook_state *state = &entry->state;
@@ -76,7 +58,12 @@ static void nf_queue_entry_release_refs(struct nf_queue_entry *entry)
if (state->sk)
sock_put(state->sk);
- nf_queue_entry_release_br_nf_refs(entry->skb);
+#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
+ if (entry->physin)
+ dev_put(entry->physin);
+ if (entry->physout)
+ dev_put(entry->physout);
+#endif
}
void nf_queue_entry_free(struct nf_queue_entry *entry)
@@ -86,20 +73,19 @@ void nf_queue_entry_free(struct nf_queue_entry *entry)
}
EXPORT_SYMBOL_GPL(nf_queue_entry_free);
-static void nf_queue_entry_get_br_nf_refs(struct sk_buff *skb)
+static void __nf_queue_entry_init_physdevs(struct nf_queue_entry *entry)
{
#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
- struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
+ const struct sk_buff *skb = entry->skb;
+ struct nf_bridge_info *nf_bridge;
+ nf_bridge = nf_bridge_info_get(skb);
if (nf_bridge) {
- struct net_device *physdev;
-
- physdev = nf_bridge_get_physindev(skb);
- if (physdev)
- dev_hold(physdev);
- physdev = nf_bridge_get_physoutdev(skb);
- if (physdev)
- dev_hold(physdev);
+ entry->physin = nf_bridge_get_physindev(skb);
+ entry->physout = nf_bridge_get_physoutdev(skb);
+ } else {
+ entry->physin = NULL;
+ entry->physout = NULL;
}
#endif
}
@@ -116,7 +102,12 @@ void nf_queue_entry_get_refs(struct nf_queue_entry *entry)
if (state->sk)
sock_hold(state->sk);
- nf_queue_entry_get_br_nf_refs(entry->skb);
+#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
+ if (entry->physin)
+ dev_hold(entry->physin);
+ if (entry->physout)
+ dev_hold(entry->physout);
+#endif
}
EXPORT_SYMBOL_GPL(nf_queue_entry_get_refs);
@@ -207,6 +198,8 @@ static int __nf_queue(struct sk_buff *skb, const struct nf_hook_state *state,
.size = sizeof(*entry) + route_key_size,
};
+ __nf_queue_entry_init_physdevs(entry);
+
nf_queue_entry_get_refs(entry);
switch (entry->state.pf) {
--
2.11.0
next prev parent reply other threads:[~2020-03-30 19:22 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-30 19:21 [PATCH 00/28] Netfilter/IPVS updates for net-next Pablo Neira Ayuso
2020-03-30 19:21 ` [PATCH 01/28] netfilter: nf_tables: move nft_expr_clone() to nf_tables_api.c Pablo Neira Ayuso
2020-03-30 19:21 ` [PATCH 02/28] netfilter: nf_tables: pass context to nft_set_destroy() Pablo Neira Ayuso
2020-03-30 19:21 ` [PATCH 03/28] netfilter: nf_tables: allow to specify stateful expression in set definition Pablo Neira Ayuso
2020-03-30 19:21 ` [PATCH 04/28] netfilter: nf_tables: fix double-free on set expression from the error path Pablo Neira Ayuso
2020-03-30 19:21 ` [PATCH 05/28] netfilter: nf_tables: add nft_set_elem_expr_destroy() and use it Pablo Neira Ayuso
2020-03-30 19:21 ` [PATCH 06/28] netfilter: flowtable: fix NULL pointer dereference in tunnel offload support Pablo Neira Ayuso
2020-03-30 19:21 ` [PATCH 07/28] netfilter: ctnetlink: Add missing annotation for ctnetlink_parse_nat_setup() Pablo Neira Ayuso
2020-03-30 19:21 ` [PATCH 08/28] netfilter: conntrack: Add missing annotations for nf_conntrack_all_lock() and nf_conntrack_all_unlock() Pablo Neira Ayuso
2020-03-30 19:21 ` [PATCH 09/28] ipvs: optimize tunnel dumps for icmp errors Pablo Neira Ayuso
2020-03-30 19:21 ` [PATCH 10/28] netfilter: conntrack: export nf_ct_acct_update() Pablo Neira Ayuso
2020-03-30 19:21 ` [PATCH 11/28] netfilter: nf_tables: add enum nft_flowtable_flags to uapi Pablo Neira Ayuso
2020-03-30 19:21 ` [PATCH 12/28] netfilter: flowtable: add counter support Pablo Neira Ayuso
2020-03-30 19:21 ` [PATCH 13/28] netfilter: flowtable: Fix incorrect tc_setup_type type Pablo Neira Ayuso
2020-03-30 19:21 ` [PATCH 14/28] netfilter: nf_tables: silence a RCU-list warning in nft_table_lookup() Pablo Neira Ayuso
2020-03-30 19:21 ` [PATCH 15/28] netfilter: flowtable: Use rw sem as flow block lock Pablo Neira Ayuso
2020-03-30 19:21 ` [PATCH 16/28] netfilter: flowtable: Use work entry per offload command Pablo Neira Ayuso
2020-03-30 19:21 ` [PATCH 17/28] netfilter: nf_queue: make nf_queue_entry_release_refs static Pablo Neira Ayuso
2020-03-30 19:21 ` Pablo Neira Ayuso [this message]
2020-03-30 19:21 ` [PATCH 19/28] netfilter: nf_queue: do not release refcouts until nf_reinject is done Pablo Neira Ayuso
2020-03-30 19:21 ` [PATCH 20/28] netfilter: nf_queue: prefer nf_queue_entry_free Pablo Neira Ayuso
2020-03-30 19:21 ` [PATCH 21/28] netfilter: ctnetlink: be more strict when NF_CONNTRACK_MARK is not set Pablo Neira Ayuso
2020-03-30 19:21 ` [PATCH 22/28] netfilter: nft_set_bitmap: initialize set element extension in lookups Pablo Neira Ayuso
2020-03-30 19:21 ` [PATCH 23/28] netfilter: nft_dynset: validate set expression definition Pablo Neira Ayuso
2020-03-30 19:21 ` [PATCH 24/28] netfilter: nf_tables: skip set types that do not support for expressions Pablo Neira Ayuso
2020-03-30 19:21 ` [PATCH 25/28] netfilter: conntrack: add nf_ct_acct_add() Pablo Neira Ayuso
2020-03-30 19:21 ` [PATCH 26/28] netfilter: flowtable: add counter support in HW offload Pablo Neira Ayuso
2020-03-30 19:21 ` [PATCH 27/28] netfilter: nft_exthdr: fix endianness of tcp option cast Pablo Neira Ayuso
2020-03-30 19:21 ` [PATCH 28/28] ipvs: fix uninitialized variable warning Pablo Neira Ayuso
2020-03-31 3:11 ` [PATCH 00/28] Netfilter/IPVS updates for net-next David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200330192136.230459-19-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).