From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org, kuba@kernel.org
Subject: [PATCH net-next 16/32] netfilter: conntrack: avoid useless indirection during conntrack destruction
Date: Mon, 10 Jan 2022 00:16:24 +0100 [thread overview]
Message-ID: <20220109231640.104123-17-pablo@netfilter.org> (raw)
In-Reply-To: <20220109231640.104123-1-pablo@netfilter.org>
From: Florian Westphal <fw@strlen.de>
nf_ct_put() results in a usesless indirection:
nf_ct_put -> nf_conntrack_put -> nf_conntrack_destroy -> rcu readlock +
indirect call of ct_hooks->destroy().
There are two _put helpers:
nf_ct_put and nf_conntrack_put. The latter is what should be used in
code that MUST NOT cause a linker dependency on the conntrack module
(e.g. calls from core network stack).
Everyone else should call nf_ct_put() instead.
A followup patch will convert a few nf_conntrack_put() calls to
nf_ct_put(), in particular from modules that already have a conntrack
dependency such as act_ct or even nf_conntrack itself.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/linux/netfilter/nf_conntrack_common.h | 2 ++
include/net/netfilter/nf_conntrack.h | 8 ++++++--
net/netfilter/nf_conntrack_core.c | 12 ++++++------
3 files changed, 14 insertions(+), 8 deletions(-)
diff --git a/include/linux/netfilter/nf_conntrack_common.h b/include/linux/netfilter/nf_conntrack_common.h
index a03f7a80b9ab..2770db2fa080 100644
--- a/include/linux/netfilter/nf_conntrack_common.h
+++ b/include/linux/netfilter/nf_conntrack_common.h
@@ -29,6 +29,8 @@ struct nf_conntrack {
};
void nf_conntrack_destroy(struct nf_conntrack *nfct);
+
+/* like nf_ct_put, but without module dependency on nf_conntrack */
static inline void nf_conntrack_put(struct nf_conntrack *nfct)
{
if (nfct && refcount_dec_and_test(&nfct->use))
diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
index a4a14f3a5e38..8731d5bcb47d 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -76,6 +76,8 @@ struct nf_conn {
* Hint, SKB address this struct and refcnt via skb->_nfct and
* helpers nf_conntrack_get() and nf_conntrack_put().
* Helper nf_ct_put() equals nf_conntrack_put() by dec refcnt,
+ * except that the latter uses internal indirection and does not
+ * result in a conntrack module dependency.
* beware nf_ct_get() is different and don't inc refcnt.
*/
struct nf_conntrack ct_general;
@@ -170,11 +172,13 @@ nf_ct_get(const struct sk_buff *skb, enum ip_conntrack_info *ctinfo)
return (struct nf_conn *)(nfct & NFCT_PTRMASK);
}
+void nf_ct_destroy(struct nf_conntrack *nfct);
+
/* decrement reference count on a conntrack */
static inline void nf_ct_put(struct nf_conn *ct)
{
- WARN_ON(!ct);
- nf_conntrack_put(&ct->ct_general);
+ if (ct && refcount_dec_and_test(&ct->ct_general.use))
+ nf_ct_destroy(&ct->ct_general);
}
/* Protocol module loading */
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index cd3d07e418b5..7a2063abae04 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -558,7 +558,7 @@ static void nf_ct_del_from_dying_or_unconfirmed_list(struct nf_conn *ct)
#define NFCT_ALIGN(len) (((len) + NFCT_INFOMASK) & ~NFCT_INFOMASK)
-/* Released via destroy_conntrack() */
+/* Released via nf_ct_destroy() */
struct nf_conn *nf_ct_tmpl_alloc(struct net *net,
const struct nf_conntrack_zone *zone,
gfp_t flags)
@@ -612,12 +612,11 @@ static void destroy_gre_conntrack(struct nf_conn *ct)
#endif
}
-static void
-destroy_conntrack(struct nf_conntrack *nfct)
+void nf_ct_destroy(struct nf_conntrack *nfct)
{
struct nf_conn *ct = (struct nf_conn *)nfct;
- pr_debug("destroy_conntrack(%p)\n", ct);
+ pr_debug("%s(%p)\n", __func__, ct);
WARN_ON(refcount_read(&nfct->use) != 0);
if (unlikely(nf_ct_is_template(ct))) {
@@ -643,9 +642,10 @@ destroy_conntrack(struct nf_conntrack *nfct)
if (ct->master)
nf_ct_put(ct->master);
- pr_debug("destroy_conntrack: returning ct=%p to slab\n", ct);
+ pr_debug("%s: returning ct=%p to slab\n", __func__, ct);
nf_conntrack_free(ct);
}
+EXPORT_SYMBOL(nf_ct_destroy);
static void nf_ct_delete_from_lists(struct nf_conn *ct)
{
@@ -2771,7 +2771,7 @@ int nf_conntrack_init_start(void)
static const struct nf_ct_hook nf_conntrack_hook = {
.update = nf_conntrack_update,
- .destroy = destroy_conntrack,
+ .destroy = nf_ct_destroy,
.get_tuple_skb = nf_conntrack_get_tuple_skb,
.attach = nf_conntrack_attach,
};
--
2.30.2
next prev parent reply other threads:[~2022-01-09 23:17 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-09 23:16 [PATCH net-next 00/32] Netfilter updates for net-next Pablo Neira Ayuso
2022-01-09 23:16 ` [PATCH net-next 01/32] netfilter: nfnetlink: add netns refcount tracker to struct nfulnl_instance Pablo Neira Ayuso
2022-01-10 0:30 ` patchwork-bot+netdevbpf
2022-01-09 23:16 ` [PATCH net-next 02/32] netfilter: nf_nat_masquerade: add netns refcount tracker to masq_dev_work Pablo Neira Ayuso
2022-01-09 23:16 ` [PATCH net-next 03/32] netfilter: nf_tables: remove rcu read-size lock Pablo Neira Ayuso
2022-01-09 23:16 ` [PATCH net-next 04/32] netfilter: nft_payload: WARN_ON_ONCE instead of BUG Pablo Neira Ayuso
2022-01-09 23:16 ` [PATCH net-next 05/32] netfilter: nf_tables: consolidate rule verdict trace call Pablo Neira Ayuso
2022-01-09 23:16 ` [PATCH net-next 06/32] netfilter: nf_tables: replace WARN_ON by WARN_ON_ONCE for unknown verdicts Pablo Neira Ayuso
2022-01-09 23:16 ` [PATCH net-next 07/32] netfilter: nf_tables: make counter support built-in Pablo Neira Ayuso
2022-01-09 23:16 ` [PATCH net-next 08/32] netfilter: conntrack: tag conntracks picked up in local out hook Pablo Neira Ayuso
2022-01-09 23:16 ` [PATCH net-next 09/32] netfilter: nat: force port remap to prevent shadowing well-known ports Pablo Neira Ayuso
2022-01-09 23:16 ` [PATCH net-next 10/32] netfilter: flowtable: remove ipv4/ipv6 modules Pablo Neira Ayuso
2022-01-11 9:01 ` Geert Uytterhoeven
2022-01-09 23:16 ` [PATCH net-next 11/32] netfilter: nft_set_pipapo_avx2: remove redundant pointer lt Pablo Neira Ayuso
2022-01-09 23:16 ` [PATCH net-next 12/32] netfilter: conntrack: Use max() instead of doing it manually Pablo Neira Ayuso
2022-01-09 23:16 ` [PATCH net-next 13/32] netfilter: conntrack: convert to refcount_t api Pablo Neira Ayuso
2022-01-09 23:16 ` [PATCH net-next 14/32] netfilter: core: move ip_ct_attach indirection to struct nf_ct_hook Pablo Neira Ayuso
2022-01-09 23:16 ` [PATCH net-next 15/32] netfilter: make function op structures const Pablo Neira Ayuso
2022-01-09 23:16 ` Pablo Neira Ayuso [this message]
2022-01-09 23:16 ` [PATCH net-next 17/32] net: prefer nf_ct_put instead of nf_conntrack_put Pablo Neira Ayuso
2022-01-09 23:16 ` [PATCH net-next 18/32] netfilter: egress: avoid a lockdep splat Pablo Neira Ayuso
2022-02-28 2:13 ` Eric Dumazet
2022-02-28 2:32 ` Florian Westphal
2022-01-09 23:16 ` [PATCH net-next 19/32] netfilter: nft_connlimit: move stateful fields out of expression data Pablo Neira Ayuso
2022-01-10 18:20 ` Julian Wiedmann
2022-01-10 19:25 ` Pablo Neira Ayuso
2022-01-09 23:16 ` [PATCH net-next 20/32] netfilter: nft_last: " Pablo Neira Ayuso
2022-01-09 23:16 ` [PATCH net-next 21/32] netfilter: nft_quota: " Pablo Neira Ayuso
2022-01-09 23:16 ` [PATCH net-next 22/32] netfilter: nft_numgen: " Pablo Neira Ayuso
2022-01-09 23:16 ` [PATCH net-next 23/32] netfilter: nft_limit: rename stateful structure Pablo Neira Ayuso
2022-01-09 23:16 ` [PATCH net-next 24/32] netfilter: nft_limit: move stateful fields out of expression data Pablo Neira Ayuso
2022-01-09 23:16 ` [PATCH net-next 25/32] netfilter: nf_tables: add rule blob layout Pablo Neira Ayuso
2022-01-09 23:16 ` [PATCH net-next 26/32] netfilter: nf_tables: add NFT_REG32_NUM Pablo Neira Ayuso
2022-01-09 23:16 ` [PATCH net-next 27/32] netfilter: nf_tables: add register tracking infrastructure Pablo Neira Ayuso
2022-01-09 23:16 ` [PATCH net-next 28/32] netfilter: nft_payload: track register operations Pablo Neira Ayuso
2022-01-09 23:16 ` [PATCH net-next 29/32] netfilter: nft_meta: " Pablo Neira Ayuso
2022-01-09 23:16 ` [PATCH net-next 30/32] netfilter: nft_bitwise: " Pablo Neira Ayuso
2022-01-09 23:16 ` [PATCH net-next 31/32] netfilter: nft_payload: cancel register tracking after payload update Pablo Neira Ayuso
2022-01-09 23:16 ` [PATCH net-next 32/32] netfilter: nft_meta: cancel register tracking after meta update Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220109231640.104123-17-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).