From: pablo@netfilter.org
To: netfilter-devel@vger.kernel.org
Cc: kaber@trash.net
Subject: [PATCH 1/4] netfilter: nf_tables: rise maximum number of expressions from 12 to 128
Date: Mon, 31 Dec 2012 00:23:13 +0100 [thread overview]
Message-ID: <1356909796-3143-1-git-send-email-pablo@netfilter.org> (raw)
From: Pablo Neira Ayuso <pablo@netfilter.org>
Use kmalloc'ed memory area to store the parsed expressions instead of
using the stack. This allows us to raise the maximum number of
expressions in one rule.
In 64-bits arch, this requires 17408 bytes for our allocated
struct nft_expr_info.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_tables_api.c | 22 ++++++++++++++++------
1 file changed, 16 insertions(+), 6 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index fc596b5..a847375 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1332,7 +1332,9 @@ static void nf_tables_rule_destroy(struct nft_rule *rule)
call_rcu(&rule->rcu_head, nf_tables_rcu_rule_destroy);
}
-#define NFT_RULE_MAXEXPRS 12
+#define NFT_RULE_MAXEXPRS 128
+
+static struct nft_expr_info *info;
static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
const struct nlmsghdr *nlh,
@@ -1343,7 +1345,6 @@ static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
struct nft_table *table;
struct nft_chain *chain;
struct nft_rule *rule, *old_rule = NULL;
- struct nft_expr_info info[NFT_RULE_MAXEXPRS];
struct nft_expr *expr;
struct nft_ctx ctx;
struct nlattr *tmp;
@@ -2859,22 +2860,30 @@ static int __init nf_tables_module_init(void)
{
int err;
+ info = kmalloc(sizeof(struct nft_expr_info) * NFT_RULE_MAXEXPRS,
+ GFP_KERNEL);
+ if (info == NULL) {
+ err = -ENOMEM;
+ goto err1;
+ }
+
err = nf_tables_core_module_init();
if (err < 0)
- goto err1;
+ goto err2;
err = nfnetlink_subsys_register(&nf_tables_subsys);
if (err < 0)
- goto err2;
+ goto err3;
nft_register_chain_type(&filter_ipv4);
nft_register_chain_type(&filter_ipv6);
pr_info("nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net>\n");
return 0;
-
-err2:
+err3:
nf_tables_core_module_exit();
+err2:
+ kfree(info);
err1:
return err;
}
@@ -2885,6 +2894,7 @@ static void __exit nf_tables_module_exit(void)
nft_unregister_chain_type(&filter_ipv6);
nfnetlink_subsys_unregister(&nf_tables_subsys);
nf_tables_core_module_exit();
+ kfree(info);
}
module_init(nf_tables_module_init);
--
1.7.10.4
next reply other threads:[~2012-12-30 23:23 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-12-30 23:23 pablo [this message]
2012-12-30 23:23 ` [PATCH 2/4] netfilter: nf_tables: nft_compat: private data of target and matches in contiguous area pablo
2012-12-30 23:23 ` [PATCH 3/4] netfilter: nf_tables: validate hooks for compat match/target pablo
2012-12-30 23:23 ` [PATCH 4/4] netfilter: nf_tables: complete net namespace support pablo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1356909796-3143-1-git-send-email-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).