From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org
Subject: [PATCH 14/21] netfilter: nf_tables: variable sized set element keys / data
Date: Mon, 13 Apr 2015 21:29:53 +0200 [thread overview]
Message-ID: <1428953401-4838-15-git-send-email-pablo@netfilter.org> (raw)
In-Reply-To: <1428953401-4838-1-git-send-email-pablo@netfilter.org>
From: Patrick McHardy <kaber@trash.net>
This patch changes sets to support variable sized set element keys / data
up to 64 bytes each by using variable sized set extensions. This allows
to use concatenations with bigger data items suchs as IPv6 addresses.
As a side effect, small keys/data now don't require the full 16 bytes
of struct nft_data anymore but just the space they need.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/net/netfilter/nf_tables.h | 5 ++++-
include/uapi/linux/netfilter/nf_tables.h | 3 +++
net/netfilter/nf_tables_api.c | 27 ++++++++++++---------------
net/netfilter/nft_hash.c | 4 ++--
net/netfilter/nft_rbtree.c | 3 ++-
5 files changed, 23 insertions(+), 19 deletions(-)
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 160577b..cb42da1 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -158,7 +158,10 @@ struct nft_userdata {
* @priv: element private data and extensions
*/
struct nft_set_elem {
- struct nft_data key;
+ union {
+ u32 buf[NFT_DATA_VALUE_MAXLEN / sizeof(u32)];
+ struct nft_data val;
+ } key;
void *priv;
};
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index 4221a6c..be8584c 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -388,6 +388,9 @@ enum nft_data_attributes {
};
#define NFTA_DATA_MAX (__NFTA_DATA_MAX - 1)
+/* Maximum length of a value */
+#define NFT_DATA_VALUE_MAXLEN 64
+
/**
* enum nft_verdict_attributes - nf_tables verdict netlink attributes
*
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 2b3f88f..ed0e70e 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -2608,7 +2608,7 @@ static int nf_tables_newset(struct sock *nlsk, struct sk_buff *skb,
}
desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
- if (desc.klen == 0 || desc.klen > FIELD_SIZEOF(struct nft_data, data))
+ if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
return -EINVAL;
flags = 0;
@@ -2634,11 +2634,10 @@ static int nf_tables_newset(struct sock *nlsk, struct sk_buff *skb,
if (nla[NFTA_SET_DATA_LEN] == NULL)
return -EINVAL;
desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
- if (desc.dlen == 0 ||
- desc.dlen > FIELD_SIZEOF(struct nft_data, data))
+ if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
return -EINVAL;
} else
- desc.dlen = sizeof(struct nft_data);
+ desc.dlen = sizeof(struct nft_verdict);
} else if (flags & NFT_SET_MAP)
return -EINVAL;
@@ -2854,12 +2853,10 @@ void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
const struct nft_set_ext_type nft_set_ext_types[] = {
[NFT_SET_EXT_KEY] = {
- .len = sizeof(struct nft_data),
- .align = __alignof__(struct nft_data),
+ .align = __alignof__(u32),
},
[NFT_SET_EXT_DATA] = {
- .len = sizeof(struct nft_data),
- .align = __alignof__(struct nft_data),
+ .align = __alignof__(u32),
},
[NFT_SET_EXT_FLAGS] = {
.len = sizeof(u8),
@@ -3299,7 +3296,7 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
timeout = set->timeout;
}
- err = nft_data_init(ctx, &elem.key, sizeof(elem.key), &d1,
+ err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &d1,
nla[NFTA_SET_ELEM_KEY]);
if (err < 0)
goto err1;
@@ -3307,7 +3304,7 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
goto err2;
- nft_set_ext_add(&tmpl, NFT_SET_EXT_KEY);
+ nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, d1.len);
if (timeout > 0) {
nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
if (timeout != set->timeout)
@@ -3342,7 +3339,7 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
goto err3;
}
- nft_set_ext_add(&tmpl, NFT_SET_EXT_DATA);
+ nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, d2.len);
}
/* The full maximum length of userdata can exceed the maximum
@@ -3358,7 +3355,7 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
}
err = -ENOMEM;
- elem.priv = nft_set_elem_init(set, &tmpl, elem.key.data, data.data,
+ elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, data.data,
timeout, GFP_KERNEL);
if (elem.priv == NULL)
goto err3;
@@ -3393,7 +3390,7 @@ err3:
if (nla[NFTA_SET_ELEM_DATA] != NULL)
nft_data_uninit(&data, d2.type);
err2:
- nft_data_uninit(&elem.key, d1.type);
+ nft_data_uninit(&elem.key.val, d1.type);
err1:
return err;
}
@@ -3460,7 +3457,7 @@ static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
if (nla[NFTA_SET_ELEM_KEY] == NULL)
goto err1;
- err = nft_data_init(ctx, &elem.key, sizeof(elem.key), &desc,
+ err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
nla[NFTA_SET_ELEM_KEY]);
if (err < 0)
goto err1;
@@ -3488,7 +3485,7 @@ static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
err3:
kfree(trans);
err2:
- nft_data_uninit(&elem.key, desc.type);
+ nft_data_uninit(&elem.key.val, desc.type);
err1:
return err;
}
diff --git a/net/netfilter/nft_hash.c b/net/netfilter/nft_hash.c
index 767df41..3f9d45d 100644
--- a/net/netfilter/nft_hash.c
+++ b/net/netfilter/nft_hash.c
@@ -133,7 +133,7 @@ static int nft_hash_insert(const struct nft_set *set,
struct nft_hash_cmp_arg arg = {
.genmask = nft_genmask_next(read_pnet(&set->pnet)),
.set = set,
- .key = elem->key.data,
+ .key = elem->key.val.data,
};
return rhashtable_lookup_insert_key(&priv->ht, &arg, &he->node,
@@ -157,7 +157,7 @@ static void *nft_hash_deactivate(const struct nft_set *set,
struct nft_hash_cmp_arg arg = {
.genmask = nft_genmask_next(read_pnet(&set->pnet)),
.set = set,
- .key = elem->key.data,
+ .key = elem->key.val.data,
};
rcu_read_lock();
diff --git a/net/netfilter/nft_rbtree.c b/net/netfilter/nft_rbtree.c
index b888e0c..1c30f41 100644
--- a/net/netfilter/nft_rbtree.c
+++ b/net/netfilter/nft_rbtree.c
@@ -152,7 +152,8 @@ static void *nft_rbtree_deactivate(const struct nft_set *set,
while (parent != NULL) {
rbe = rb_entry(parent, struct nft_rbtree_elem, node);
- d = memcmp(nft_set_ext_key(&rbe->ext), &elem->key, set->klen);
+ d = memcmp(nft_set_ext_key(&rbe->ext), &elem->key.val,
+ set->klen);
if (d < 0)
parent = parent->rb_left;
else if (d > 0)
--
1.7.10.4
next prev parent reply other threads:[~2015-04-13 19:29 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-04-13 19:29 [PATCH 00/21] Netfilter updates for net-next Pablo Neira Ayuso
2015-04-13 19:29 ` [PATCH 01/21] netfilter: nf_tables: validate len in nft_validate_data_load() Pablo Neira Ayuso
2015-04-13 19:29 ` [PATCH 02/21] netfilter: nf_tables: rename nft_validate_data_load() Pablo Neira Ayuso
2015-04-13 19:29 ` [PATCH 03/21] netfilter: nft_lookup: use nft_validate_register_store() to validate types Pablo Neira Ayuso
2015-04-13 19:29 ` [PATCH 04/21] netfilter: nf_tables: kill nft_validate_output_register() Pablo Neira Ayuso
2015-04-13 19:29 ` [PATCH 05/21] netfilter: nf_tables: introduce nft_validate_register_load() Pablo Neira Ayuso
2015-04-13 19:29 ` [PATCH 06/21] netfilter: nf_tables: get rid of NFT_REG_VERDICT usage Pablo Neira Ayuso
2015-04-13 19:29 ` [PATCH 07/21] netfilter: nf_tables: use struct nft_verdict within struct nft_data Pablo Neira Ayuso
2015-04-13 19:29 ` [PATCH 08/21] netfilter: nf_tables: convert expressions to u32 register pointers Pablo Neira Ayuso
2015-04-13 19:29 ` [PATCH 09/21] netfilter: nf_tables: kill nft_data_cmp() Pablo Neira Ayuso
2015-04-13 19:29 ` [PATCH 10/21] netfilter: nf_tables: convert sets to u32 data pointers Pablo Neira Ayuso
2015-04-13 19:29 ` [PATCH 11/21] netfilter: nf_tables: add register parsing/dumping helpers Pablo Neira Ayuso
2015-04-13 19:29 ` [PATCH 12/21] netfilter: nf_tables: switch registers to 32 bit addressing Pablo Neira Ayuso
2015-04-13 19:29 ` [PATCH 13/21] netfilter: nf_tables: support variable sized data in nft_data_init() Pablo Neira Ayuso
2015-04-13 19:29 ` Pablo Neira Ayuso [this message]
2015-04-13 19:29 ` [PATCH 15/21] uapi: ebtables: don't include linux/if.h Pablo Neira Ayuso
2015-04-13 19:29 ` [PATCH 16/21] netfilter: nf_tables: add helper functions for expression handling Pablo Neira Ayuso
2015-04-13 19:29 ` [PATCH 17/21] netfilter: nf_tables: prepare for expressions associated to set elements Pablo Neira Ayuso
2015-04-13 19:29 ` [PATCH 18/21] netfilter: nf_tables: mark stateful expressions Pablo Neira Ayuso
2015-04-13 19:29 ` [PATCH 19/21] netfilter: nf_tables: add flag to indicate set contains expressions Pablo Neira Ayuso
2015-04-13 19:29 ` [PATCH 20/21] netfilter: nft_dynset: dynamic stateful expression instantiation Pablo Neira Ayuso
2015-04-13 19:30 ` [PATCH 21/21] netfilter: nf_tables: get rid of the expression example code Pablo Neira Ayuso
2015-04-14 2:18 ` [PATCH 00/21] Netfilter updates for net-next David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1428953401-4838-15-git-send-email-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).