Re: [nf-next PATCH] netfilter: nf_tables: add support for inverted login in nft_lookup

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [nf-next PATCH] netfilter: nf_tables: add support for inverted login in nft_lookup
Date: Tue, 31 May 2016 13:39:21 +0200	[thread overview]
Message-ID: <20160531113921.GA5870@salvia> (raw)
In-Reply-To: <146469443294.16092.10350972377628813816.stgit@nfdev2.cica.es>

On Tue, May 31, 2016 at 01:33:53PM +0200, Arturo Borrero Gonzalez wrote:
> Introduce a new configuration option for this expression, which allows users
> to invert the logic of set lookups.
> 
> Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
> ---
>  include/uapi/linux/netfilter/nf_tables.h |    6 ++++++
>  net/netfilter/nft_lookup.c               |   15 ++++++++++++++-
>  2 files changed, 20 insertions(+), 1 deletion(-)
> 
> diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
> index 6a4dbe0..01751fa 100644
> --- a/include/uapi/linux/netfilter/nf_tables.h
> +++ b/include/uapi/linux/netfilter/nf_tables.h
> @@ -546,6 +546,10 @@ enum nft_cmp_attributes {
>  };
>  #define NFTA_CMP_MAX		(__NFTA_CMP_MAX - 1)
>  
> +enum nft_lookup_flags {
> +	NFT_LOOKUP_F_INV = (1 << 0),
> +};
> +
>  /**
>   * enum nft_lookup_attributes - nf_tables set lookup expression netlink attributes
>   *
> @@ -553,6 +557,7 @@ enum nft_cmp_attributes {
>   * @NFTA_LOOKUP_SREG: source register of the data to look for (NLA_U32: nft_registers)
>   * @NFTA_LOOKUP_DREG: destination register (NLA_U32: nft_registers)
>   * @NFTA_LOOKUP_SET_ID: uniquely identifies a set in a transaction (NLA_U32)
> + * @NFTA_LOOKUP_FLAGS: flags (NLA_U32: enum nft_lookup_flags)
>   */
>  enum nft_lookup_attributes {
>  	NFTA_LOOKUP_UNSPEC,
> @@ -560,6 +565,7 @@ enum nft_lookup_attributes {
>  	NFTA_LOOKUP_SREG,
>  	NFTA_LOOKUP_DREG,
>  	NFTA_LOOKUP_SET_ID,
> +	NFTA_LOOKUP_FLAGS,
>  	__NFTA_LOOKUP_MAX
>  };
>  #define NFTA_LOOKUP_MAX		(__NFTA_LOOKUP_MAX - 1)
> diff --git a/net/netfilter/nft_lookup.c b/net/netfilter/nft_lookup.c
> index b3c31ef..4a9ee78 100644
> --- a/net/netfilter/nft_lookup.c
> +++ b/net/netfilter/nft_lookup.c
> @@ -23,6 +23,7 @@ struct nft_lookup {
>  	enum nft_registers		sreg:8;
>  	enum nft_registers		dreg:8;
>  	struct nft_set_binding		binding;
> +	bool				invert;
>  };

pahole reports that there is a hole between dreg and binding where you
can scratch those 8 bytes for this new boolean:

struct nft_lookup {
        struct nft_set *           set;                  /*     0 8 */
        enum nft_registers         sreg:8;               /*     8:24 4 */
        enum nft_registers         dreg:8;               /*     8:16 4 */

        /* XXX 16 bits hole, try to pack */
        /* XXX 4 bytes hole, try to pack */

        struct nft_set_binding     binding;              /*    16 32 */

        /* XXX last struct has 4 bytes of padding */

        /* size: 48, cachelines: 1, members: 4 */
        /* sum members: 44, holes: 1, sum holes: 4 */
        /* bit holes: 1, sum bit holes: 16 bits */
        /* paddings: 1, sum paddings: 4 */
        /* last cacheline: 48 bytes */
}

So this should look like instead:

  	enum nft_registers		sreg:8;
  	enum nft_registers		dreg:8;
 +	bool				invert;
  	struct nft_set_binding		binding;
  };

next prev parent reply	other threads:[~2016-05-31 11:39 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-05-31 11:33 [nf-next PATCH] netfilter: nf_tables: add support for inverted login in nft_lookup Arturo Borrero Gonzalez
2016-05-31 11:39 ` Pablo Neira Ayuso [this message]
2016-05-31 14:44 ` Florian Westphal
2016-05-31 15:50   ` Arturo Borrero Gonzalez
2016-05-31 16:18     ` Arturo Borrero Gonzalez
2016-05-31 16:42       ` Arturo Borrero Gonzalez
2016-06-01  8:58       ` Florian Westphal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20160531113921.GA5870@salvia \
    --to=pablo@netfilter.org \
    --cc=arturo.borrero.glez@gmail.com \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).