From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH nf-next 2/6] netfilter: nf_tables: wrap tracing with a static key
Date: Tue, 24 Nov 2015 11:19:26 +0100 [thread overview]
Message-ID: <20151124101926.GC2683@salvia> (raw)
In-Reply-To: <1448359331-12692-3-git-send-email-fw@strlen.de>
On Tue, Nov 24, 2015 at 11:02:07AM +0100, Florian Westphal wrote:
> Only needed when meta nftrace rule(s) were added.
>
> Signed-off-by: Florian Westphal <fw@strlen.de>
> ---
> include/net/netfilter/nf_tables_core.h | 1 +
> include/net/netfilter/nft_meta.h | 3 +++
> net/bridge/netfilter/nft_meta_bridge.c | 1 +
> net/netfilter/nf_tables_core.c | 20 +++++++++++++++-----
> net/netfilter/nft_meta.c | 15 +++++++++++++++
> 5 files changed, 35 insertions(+), 5 deletions(-)
>
> diff --git a/include/net/netfilter/nf_tables_core.h b/include/net/netfilter/nf_tables_core.h
> index c6f400c..8ad6240 100644
> --- a/include/net/netfilter/nf_tables_core.h
> +++ b/include/net/netfilter/nf_tables_core.h
> @@ -48,6 +48,7 @@ struct nft_payload {
> };
>
> extern const struct nft_expr_ops nft_payload_fast_ops;
> +extern struct static_key nft_trace_enabled;
>
> int nft_payload_module_init(void);
> void nft_payload_module_exit(void);
> diff --git a/include/net/netfilter/nft_meta.h b/include/net/netfilter/nft_meta.h
> index 711887a..d27588c 100644
> --- a/include/net/netfilter/nft_meta.h
> +++ b/include/net/netfilter/nft_meta.h
> @@ -33,4 +33,7 @@ void nft_meta_set_eval(const struct nft_expr *expr,
> struct nft_regs *regs,
> const struct nft_pktinfo *pkt);
>
> +void nft_meta_set_destroy(const struct nft_ctx *ctx,
> + const struct nft_expr *expr);
> +
> #endif
> diff --git a/net/bridge/netfilter/nft_meta_bridge.c b/net/bridge/netfilter/nft_meta_bridge.c
> index a21269b..4b901d9 100644
> --- a/net/bridge/netfilter/nft_meta_bridge.c
> +++ b/net/bridge/netfilter/nft_meta_bridge.c
> @@ -84,6 +84,7 @@ static const struct nft_expr_ops nft_meta_bridge_set_ops = {
> .size = NFT_EXPR_SIZE(sizeof(struct nft_meta)),
> .eval = nft_meta_set_eval,
> .init = nft_meta_set_init,
> + .destroy = nft_meta_set_destroy,
> .dump = nft_meta_set_dump,
> };
>
> diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c
> index 29a6ca9..dabf5ed 100644
> --- a/net/netfilter/nf_tables_core.c
> +++ b/net/netfilter/nf_tables_core.c
> @@ -16,6 +16,7 @@
> #include <linux/skbuff.h>
> #include <linux/netlink.h>
> #include <linux/netfilter.h>
> +#include <linux/static_key.h>
> #include <linux/netfilter/nfnetlink.h>
> #include <linux/netfilter/nf_tables.h>
> #include <net/netfilter/nf_tables_core.h>
> @@ -54,6 +55,9 @@ static void __nft_trace_packet(const struct nft_pktinfo *pkt,
> rulenum);
> }
>
> +struct static_key nft_trace_enabled __read_mostly;
> +EXPORT_SYMBOL_GPL(nft_trace_enabled);
> +
> static inline void nft_trace_packet(const struct nft_pktinfo *pkt,
> const struct nft_chain *chain,
> const struct nft_rule *rule,
> @@ -61,7 +65,9 @@ static inline void nft_trace_packet(const struct nft_pktinfo *pkt,
> u32 verdict,
> enum nft_trace_types type)
> {
> - if (unlikely(pkt->skb->nf_trace)) {
> + if (static_key_false(&nft_trace_enabled)) {
> + if (!pkt->skb->nf_trace)
> + return;
> nf_tables_trace_notify(pkt, chain, rule, verdict, type);
> __nft_trace_packet(pkt, chain, rulenum, type);
> }
> @@ -138,7 +144,8 @@ next_rule:
> if (unlikely(rule->genmask & (1 << gencursor)))
> continue;
>
> - rulenum++;
> + if (static_key_false(&nft_trace_enabled))
> + rulenum++;
We can probably wrap this code to annotate rule number in a function?
>
> nft_rule_for_each_expr(expr, last, rule) {
> if (expr->ops == &nft_cmp_fast_ops)
> @@ -178,7 +185,8 @@ next_rule:
> BUG_ON(stackptr >= NFT_JUMP_STACK_SIZE);
> jumpstack[stackptr].chain = chain;
> jumpstack[stackptr].rule = rule;
> - jumpstack[stackptr].rulenum = rulenum;
> + if (static_key_false(&nft_trace_enabled))
> + jumpstack[stackptr].rulenum = rulenum;
> stackptr++;
> /* fall through */
> case NFT_GOTO:
> @@ -188,7 +196,8 @@ next_rule:
> chain = regs.verdict.chain;
> goto do_chain;
> case NFT_CONTINUE:
> - rulenum++;
> + if (static_key_false(&nft_trace_enabled))
> + rulenum++;
This happens again here.
> /* fall through */
> case NFT_RETURN:
> if (stackptr)
> @@ -204,7 +213,8 @@ next_rule:
> stackptr--;
> chain = jumpstack[stackptr].chain;
> rule = jumpstack[stackptr].rule;
> - rulenum = jumpstack[stackptr].rulenum;
> + if (static_key_false(&nft_trace_enabled))
> + rulenum = jumpstack[stackptr].rulenum;
This one is very similar to the one above.
> goto next_rule;
> }
>
> diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
> index e94526a..c2a60ac 100644
> --- a/net/netfilter/nft_meta.c
> +++ b/net/netfilter/nft_meta.c
> @@ -18,10 +18,12 @@
> #include <linux/ip.h>
> #include <linux/ipv6.h>
> #include <linux/smp.h>
> +#include <linux/static_key.h>
> #include <net/dst.h>
> #include <net/sock.h>
> #include <net/tcp_states.h> /* for TCP_TIME_WAIT */
> #include <net/netfilter/nf_tables.h>
> +#include <net/netfilter/nf_tables_core.h>
> #include <net/netfilter/nft_meta.h>
>
> void nft_meta_get_eval(const struct nft_expr *expr,
> @@ -300,6 +302,9 @@ int nft_meta_set_init(const struct nft_ctx *ctx,
> if (err < 0)
> return err;
>
> + if (priv->key == NFT_META_NFTRACE)
> + static_key_slow_inc(&nft_trace_enabled);
> +
> return 0;
> }
> EXPORT_SYMBOL_GPL(nft_meta_set_init);
> @@ -337,6 +342,15 @@ nla_put_failure:
> }
> EXPORT_SYMBOL_GPL(nft_meta_set_dump);
>
> +void nft_meta_set_destroy(const struct nft_ctx *ctx,
> + const struct nft_expr *expr)
> +{
> + const struct nft_meta *priv = nft_expr_priv(expr);
> +
> + if (priv->key == NFT_META_NFTRACE)
> + static_key_slow_dec(&nft_trace_enabled);
> +}
> +
> static struct nft_expr_type nft_meta_type;
> static const struct nft_expr_ops nft_meta_get_ops = {
> .type = &nft_meta_type,
> @@ -351,6 +365,7 @@ static const struct nft_expr_ops nft_meta_set_ops = {
> .size = NFT_EXPR_SIZE(sizeof(struct nft_meta)),
> .eval = nft_meta_set_eval,
> .init = nft_meta_set_init,
> + .destroy = nft_meta_set_destroy,
> .dump = nft_meta_set_dump,
> };
>
> --
> 2.4.10
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2015-11-24 10:19 UTC|newest]
Thread overview: 80+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-24 10:02 [PATCH 0/6] nftables trace support Florian Westphal
2015-11-24 10:02 ` [PATCH nf-next 1/6] netfilter: nf_tables: extend tracing infrastructure Florian Westphal
2015-11-24 10:17 ` Pablo Neira Ayuso
2015-11-24 10:27 ` Florian Westphal
2015-11-24 10:30 ` Pablo Neira Ayuso
2015-11-24 10:35 ` Patrick McHardy
2015-11-24 11:11 ` Florian Westphal
2015-11-24 10:22 ` Pablo Neira Ayuso
2015-11-24 10:28 ` Florian Westphal
2015-11-24 10:33 ` Patrick McHardy
2015-11-24 10:44 ` Pablo Neira Ayuso
2015-11-24 10:45 ` Pablo Neira Ayuso
2015-11-24 10:47 ` Patrick McHardy
2015-11-24 10:36 ` Pablo Neira Ayuso
2015-11-24 10:44 ` Patrick McHardy
2015-11-25 0:55 ` Patrick McHardy
2015-11-25 8:39 ` Florian Westphal
2015-11-25 8:48 ` Florian Westphal
2015-11-25 9:35 ` Patrick McHardy
2015-11-25 10:13 ` Florian Westphal
2015-11-25 11:51 ` Patrick McHardy
2015-11-25 12:20 ` Florian Westphal
2015-11-24 10:02 ` [PATCH nf-next 2/6] netfilter: nf_tables: wrap tracing with a static key Florian Westphal
2015-11-24 10:13 ` Patrick McHardy
2015-11-24 10:21 ` Florian Westphal
2015-11-24 10:28 ` Patrick McHardy
2015-11-24 10:19 ` Pablo Neira Ayuso [this message]
2015-11-24 10:02 ` [PATCH nf-next 3/6] netfilter: nf_tables: disable old tracing if listener is present Florian Westphal
2015-11-24 10:16 ` Patrick McHardy
2015-11-24 10:24 ` Pablo Neira Ayuso
2015-11-24 10:31 ` Florian Westphal
2015-11-24 10:39 ` Pablo Neira Ayuso
2015-11-24 10:53 ` Patrick McHardy
2015-11-24 11:10 ` Florian Westphal
2015-11-24 11:33 ` Patrick McHardy
2015-11-24 15:15 ` Florian Westphal
2015-11-24 15:26 ` Patrick McHardy
2015-11-24 15:35 ` Florian Westphal
2015-11-24 15:42 ` Patrick McHardy
2015-11-25 15:06 ` Patrick McHardy
2015-11-25 16:23 ` Pablo Neira Ayuso
2015-11-25 16:34 ` Patrick McHardy
2015-11-25 16:24 ` Florian Westphal
2015-11-25 16:46 ` Patrick McHardy
2015-11-25 17:32 ` Patrick McHardy
2015-11-25 22:27 ` Florian Westphal
2015-11-25 23:04 ` Patrick McHardy
2015-11-25 23:16 ` Florian Westphal
2015-11-25 23:30 ` Patrick McHardy
2015-11-25 23:42 ` Patrick McHardy
2015-11-25 23:56 ` Florian Westphal
2015-11-25 22:52 ` Florian Westphal
2015-11-25 23:15 ` Patrick McHardy
2015-11-25 23:19 ` Florian Westphal
2015-11-26 10:50 ` Patrick McHardy
2015-11-26 11:03 ` Florian Westphal
2015-11-26 11:42 ` Patrick McHardy
2015-11-25 16:49 ` Jan Engelhardt
2015-11-25 16:53 ` Patrick McHardy
2015-11-25 17:14 ` Jan Engelhardt
2015-11-25 17:24 ` Patrick McHardy
2015-11-25 0:57 ` Patrick McHardy
2015-11-24 10:02 ` [PATCH libnftnl 4/6] src: rename EXPORT_SYMBOL to EXPORT_SYMBOL_ALIAS Florian Westphal
2015-11-24 10:11 ` Pablo Neira Ayuso
2015-11-24 10:02 ` [PATCH libnftnl 5/6] src: add trace infrastructure support Florian Westphal
2015-11-24 12:16 ` Patrick McHardy
2015-11-24 14:53 ` Patrick McHardy
2015-11-24 10:02 ` [PATCH nftables 6/6] src: add trace support to nft monitor mode Florian Westphal
2015-11-24 10:25 ` Patrick McHardy
2015-11-24 10:48 ` Florian Westphal
2015-11-24 10:58 ` Patrick McHardy
2015-11-24 11:01 ` Pablo Neira Ayuso
2015-11-24 11:07 ` Patrick McHardy
2015-11-24 11:14 ` Pablo Neira Ayuso
2015-11-24 11:14 ` Florian Westphal
2015-11-24 11:41 ` Patrick McHardy
2015-11-24 10:53 ` Pablo Neira Ayuso
2015-11-24 11:04 ` Patrick McHardy
2015-11-24 11:12 ` Pablo Neira Ayuso
2015-11-24 11:36 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151124101926.GC2683@salvia \
--to=pablo@netfilter.org \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).