From: Jan Engelhardt <jengelh@medozas.de>
To: netfilter-devel@vger.kernel.org
Cc: kaber@trash.net
Subject: [PATCH 13/56] netfilter: xtables2: jumpstack (de)allocation functions
Date: Tue, 29 Jun 2010 10:42:53 +0200 [thread overview]
Message-ID: <1277801017-30600-14-git-send-email-jengelh@medozas.de> (raw)
In-Reply-To: <1277801017-30600-1-git-send-email-jengelh@medozas.de>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/x_tables.h | 13 ++++++
net/netfilter/x_tables.c | 73 +++++++++++++++++++++++++++++++++++-
2 files changed, 85 insertions(+), 1 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 3849383..fcca7a6 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -512,6 +512,14 @@ enum {
* @chain_list: list of chains (struct xt2_chain)
* @name: name of this table
* @nfproto: nfproto the table is used exclusively with
+ * @rq_stacksize: Size of the jumpstack. This is usually set to the
+ * number of user chains -- since tables cannot have
+ * loops, at most that many jumps can possibly be made --
+ * or a value dependent thereof, such as when it is
+ * multiplied to allow for reentry.
+ * @stacksize: current size of the stack (@stackptr, @jumpstack)
+ * @stackptr: current stack pointer, one per CPU
+ * @jumpstack: our stack, also one per CPU
* @entrypoint: start chains for hooks
* @underflow: base chain policy (rule)
* @net: encompassing netns. To be set by xt2_table_new caller.
@@ -521,6 +529,11 @@ struct xt2_table {
struct list_head chain_list;
char name[11];
uint8_t nfproto;
+
+ unsigned int rq_stacksize, stacksize;
+ unsigned int __percpu *stackptr;
+ const struct xt2_rule ***jumpstack;
+
const struct xt2_chain *entrypoint[NF_INET_NUMHOOKS];
const struct xt2_rule *underflow[NF_INET_NUMHOOKS];
struct net *net;
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 7126e28..c820bdc 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -1463,6 +1463,7 @@ struct xt2_chain *xt2_chain_new(struct xt2_table *table, const char *name)
if (chain == NULL)
return NULL;
+ ++table->rq_stacksize;
chain->table = table;
INIT_LIST_HEAD(&chain->anchor);
INIT_LIST_HEAD(&chain->rule_list);
@@ -1491,11 +1492,76 @@ static void xt2_chain_free(struct xt2_chain *chain)
struct xt2_rule *rule, *next_rule;
list_del(&chain->anchor);
+ --chain->table->rq_stacksize;
list_for_each_entry_safe(rule, next_rule, &chain->rule_list, anchor)
xt2_rule_free(rule);
kfree(chain);
}
+/**
+ * Allocate jumpstacks. This is normally called sometime after the chains
+ * have all been added to the table.
+ */
+static int xt2_jumpstack_alloc(struct xt2_table *table)
+{
+ unsigned int size, cpu;
+
+ table->stackptr = alloc_percpu(unsigned int);
+ if (table->stackptr == NULL)
+ return -ENOMEM;
+
+ size = sizeof(struct xt2_rule **) * nr_cpu_ids;
+ if (size > PAGE_SIZE)
+ table->jumpstack = vmalloc(size);
+ else
+ table->jumpstack = kmalloc(size, GFP_KERNEL);
+ if (table->jumpstack == NULL)
+ return -ENOMEM;
+ memset(table->jumpstack, 0, size);
+
+ table->stacksize = table->rq_stacksize * xt_jumpstack_multiplier;
+ size = sizeof(struct xt2_rule *) * table->stacksize;
+ for_each_possible_cpu(cpu) {
+ if (size > PAGE_SIZE)
+ table->jumpstack[cpu] = vmalloc_node(size,
+ cpu_to_node(cpu));
+ else
+ table->jumpstack[cpu] = kmalloc_node(size,
+ GFP_KERNEL,
+ cpu_to_node(cpu));
+ if (table->jumpstack[cpu] == NULL)
+ /*
+ * Freeing will be done later on by the callers. The
+ * chain is: xt2_table_replace ->
+ * ipt2_register_table -> xt2_table_destroy
+ */
+ return -ENOMEM;
+ }
+
+ return 0;
+}
+
+static void xt2_jumpstack_free(struct xt2_table *table)
+{
+ unsigned int cpu;
+
+ if (table->jumpstack != NULL) {
+ if (sizeof(struct xt2_rule *) * table->stacksize > PAGE_SIZE) {
+ for_each_possible_cpu(cpu)
+ vfree(table->jumpstack[cpu]);
+ } else {
+ for_each_possible_cpu(cpu)
+ kfree(table->jumpstack[cpu]);
+ }
+ if (sizeof(struct xt2_rule **) * nr_cpu_ids > PAGE_SIZE)
+ vfree(table->jumpstack);
+ else
+ kfree(table->jumpstack);
+ }
+
+ free_percpu(table->stackptr);
+}
+
struct xt2_table *xt2_table_new(void)
{
struct xt2_table *table;
@@ -1537,7 +1603,7 @@ EXPORT_SYMBOL_GPL(xt2_tlink_lookup);
int xt2_table_register(struct net *net, struct xt2_table *table)
{
struct xt2_table_link *link;
- int ret = 0;
+ int ret;
if (*table->name == '\0')
/* Empty names don't fly with our strcmp. */
@@ -1550,6 +1616,10 @@ int xt2_table_register(struct net *net, struct xt2_table *table)
goto out;
}
+ ret = xt2_jumpstack_alloc(table);
+ if (ret < 0)
+ goto out;
+
link = kmalloc(sizeof(*link), GFP_KERNEL);
if (link == NULL) {
ret = -ENOMEM;
@@ -1633,6 +1703,7 @@ void xt2_table_destroy(struct net *net, struct xt2_table *table)
if (net != NULL)
xt2_table_unregister(net, table);
+ xt2_jumpstack_free(table);
list_for_each_entry_safe(chain, next_chain, &table->chain_list, anchor)
xt2_chain_free(chain);
kfree(table);
--
1.7.1
next prev parent reply other threads:[~2010-06-29 8:43 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-06-29 8:42 xt2 table core Jan Engelhardt
2010-06-29 8:42 ` [PATCH 01/56] netfilter: ebtables: simplify a device in/out check Jan Engelhardt
2010-06-29 8:42 ` [PATCH 02/56] netfilter: ebtables: change ebt_basic_match to xt convention Jan Engelhardt
2010-06-29 8:42 ` [PATCH 03/56] netfilter: xtables: move functions around Jan Engelhardt
2010-06-29 8:42 ` [PATCH 04/56] netfilter: xtables: convert basic nfproto match functions into xt matches Jan Engelhardt
2010-06-29 8:42 ` [PATCH 05/56] netfilter: xtables2: initial table skeletal functions Jan Engelhardt
2010-06-29 8:42 ` [PATCH 06/56] netfilter: xtables2: initial chain " Jan Engelhardt
2010-06-29 8:42 ` [PATCH 07/56] netfilter: xtables2: initial rule " Jan Engelhardt
2010-06-29 8:42 ` [PATCH 08/56] netfilter: xtables: alternate size checking in xt_check_match Jan Engelhardt
2010-06-29 8:42 ` [PATCH 09/56] netfilter: xtables: alternate size checking in xt_check_target Jan Engelhardt
2010-06-29 8:42 ` [PATCH 10/56] netfilter: xtables2: per-rule match skeletal functions Jan Engelhardt
2010-06-29 8:42 ` [PATCH 11/56] netfilter: xtables2: per-rule target " Jan Engelhardt
2010-06-29 8:42 ` [PATCH 12/56] netfilter: xtables2: xt_check_target in combination with xt2 contexts Jan Engelhardt
2010-06-29 8:42 ` Jan Engelhardt [this message]
2010-06-29 8:42 ` [PATCH 14/56] netfilter: xtables2: table traversal Jan Engelhardt
2010-06-29 8:42 ` [PATCH 15/56] netfilter: xtables: add xt_quota revision 3 Jan Engelhardt
2010-06-29 8:42 ` [PATCH 16/56] netfilter: xtables2: make a copy of the ipv6_filter table Jan Engelhardt
2010-06-29 8:42 ` [PATCH 17/56] netfilter: xtables2: initial xt1->xt2 translation for tables Jan Engelhardt
2010-06-29 8:42 ` [PATCH 18/56] netfilter: xtables2: xt2->xt1 translation - GET_INFO support Jan Engelhardt
2010-06-29 8:42 ` [PATCH 19/56] netfilter: xtables2: xt2->xt1 translation - GET_ENTRIES support Jan Engelhardt
2010-06-29 8:43 ` [PATCH 20/56] netfilter: xtables2: xt1->xt2 translation - SET_REPLACE support Jan Engelhardt
2010-06-29 8:43 ` [PATCH 21/56] netfilter: xtables2: return counters after SET_REPLACE Jan Engelhardt
2010-06-29 8:43 ` [PATCH 22/56] netfilter: xtables2: xt1->xt2 translation - ADD_COUNTERS support Jan Engelhardt
2010-06-29 8:43 ` [PATCH 23/56] netfilter: xtables2: xt2->xt1 translation - compat GET_INFO support Jan Engelhardt
2010-06-29 8:43 ` [PATCH 24/56] netfilter: ip6tables: move mark_chains to xt1_perproto.c Jan Engelhardt
2010-06-29 8:43 ` [PATCH 25/56] netfilter: xtables2: xt2<->xt1 translation - compat GET_ENTRIES/SET_REPLACE support Jan Engelhardt
2010-06-29 8:43 ` [PATCH 26/56] netfilter: xtables2: compat->normal match data translation Jan Engelhardt
2010-06-29 8:43 ` [PATCH 27/56] netfilter: xtables2: compat->normal target " Jan Engelhardt
2010-06-29 8:43 ` [PATCH 28/56] netfilter: xtables2: outsource code into xts_match_to_xt1 function Jan Engelhardt
2010-06-29 8:43 ` [PATCH 29/56] netfilter: xtables2: normal->compat match data translation Jan Engelhardt
2010-06-29 8:43 ` [PATCH 30/56] netfilter: xtables2: normal->compat target " Jan Engelhardt
2010-06-29 8:43 ` [PATCH 31/56] netfilter: xtables2: packet tracing Jan Engelhardt
2010-06-29 8:43 ` [PATCH 32/56] netfilter: xtables: turn procfs entries to walk xt2 table list Jan Engelhardt
2010-06-29 8:43 ` [PATCH 33/56] netfilter: xtables2: switch ip6's tables to the xt2 table format Jan Engelhardt
2010-06-29 8:47 ` xt2 table core [*/33, not */56] Jan Engelhardt
2010-07-02 3:32 ` xt2 table core Simon Lodal
2010-07-04 13:56 ` Jan Engelhardt
2010-07-04 17:22 ` Simon Lodal
2010-07-04 18:00 ` Jan Engelhardt
2010-07-05 8:55 ` Patrick McHardy
2010-07-05 9:13 ` Jan Engelhardt
2010-07-05 9:15 ` Patrick McHardy
2010-07-05 9:36 ` Eric Dumazet
2010-07-05 9:42 ` Jan Engelhardt
2010-07-05 10:22 ` Eric Dumazet
2010-07-05 10:34 ` Jan Engelhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1277801017-30600-14-git-send-email-jengelh@medozas.de \
--to=jengelh@medozas.de \
--cc=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).