* [nf-next PATCH 0/6] Refactor nft_obj_filter into nft_obj_dump_ctx
@ 2023-10-20 17:34 Phil Sutter
2023-10-20 17:34 ` [nf-next PATCH 1/6] netfilter: nf_tables: Drop pointless memset in nf_tables_dump_obj Phil Sutter
` (5 more replies)
0 siblings, 6 replies; 8+ messages in thread
From: Phil Sutter @ 2023-10-20 17:34 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
This is ultimately prep work for object reset locking, but valid on it's
own:
Make object dump routines utilize struct netlink_callback's scratch area
for context data. This requires to relocate the s_idx counter, so turn
nft_obj_filter into a real context data structure holding also the
counter (and the reset boolean as well).
Phil Sutter (6):
netfilter: nf_tables: Drop pointless memset in nf_tables_dump_obj
netfilter: nf_tables: Unconditionally allocate nft_obj_filter
netfilter: nf_tables: A better name for nft_obj_filter
netfilter: nf_tables: Carry s_idx in nft_obj_dump_ctx
netfilter: nf_tables: nft_obj_filter fits into cb->ctx
netfilter: nf_tables: Carry reset boolean in nft_obj_dump_ctx
net/netfilter/nf_tables_api.c | 66 ++++++++++++++---------------------
1 file changed, 26 insertions(+), 40 deletions(-)
--
2.41.0
^ permalink raw reply [flat|nested] 8+ messages in thread
* [nf-next PATCH 1/6] netfilter: nf_tables: Drop pointless memset in nf_tables_dump_obj
2023-10-20 17:34 [nf-next PATCH 0/6] Refactor nft_obj_filter into nft_obj_dump_ctx Phil Sutter
@ 2023-10-20 17:34 ` Phil Sutter
2023-10-25 9:48 ` Pablo Neira Ayuso
2023-10-20 17:34 ` [nf-next PATCH 2/6] netfilter: nf_tables: Unconditionally allocate nft_obj_filter Phil Sutter
` (4 subsequent siblings)
5 siblings, 1 reply; 8+ messages in thread
From: Phil Sutter @ 2023-10-20 17:34 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
The code does not make use of cb->args fields past the first one, no
need to zero them.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
net/netfilter/nf_tables_api.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 20734fbb0d94..0f7ee76ad64f 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -7725,9 +7725,6 @@ static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
goto cont;
if (idx < s_idx)
goto cont;
- if (idx > s_idx)
- memset(&cb->args[1], 0,
- sizeof(cb->args) - sizeof(cb->args[0]));
if (filter && filter->table &&
strcmp(filter->table, table->name))
goto cont;
--
2.41.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [nf-next PATCH 2/6] netfilter: nf_tables: Unconditionally allocate nft_obj_filter
2023-10-20 17:34 [nf-next PATCH 0/6] Refactor nft_obj_filter into nft_obj_dump_ctx Phil Sutter
2023-10-20 17:34 ` [nf-next PATCH 1/6] netfilter: nf_tables: Drop pointless memset in nf_tables_dump_obj Phil Sutter
@ 2023-10-20 17:34 ` Phil Sutter
2023-10-20 17:34 ` [nf-next PATCH 3/6] netfilter: nf_tables: A better name for nft_obj_filter Phil Sutter
` (3 subsequent siblings)
5 siblings, 0 replies; 8+ messages in thread
From: Phil Sutter @ 2023-10-20 17:34 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Prep work for moving the filter into struct netlink_callback's scratch
area.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
net/netfilter/nf_tables_api.c | 36 +++++++++++++++--------------------
1 file changed, 15 insertions(+), 21 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 0f7ee76ad64f..0dfac634d21f 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -7725,11 +7725,9 @@ static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
goto cont;
if (idx < s_idx)
goto cont;
- if (filter && filter->table &&
- strcmp(filter->table, table->name))
+ if (filter->table && strcmp(filter->table, table->name))
goto cont;
- if (filter &&
- filter->type != NFT_OBJECT_UNSPEC &&
+ if (filter->type != NFT_OBJECT_UNSPEC &&
obj->ops->type->type != filter->type)
goto cont;
@@ -7764,23 +7762,21 @@ static int nf_tables_dump_obj_start(struct netlink_callback *cb)
const struct nlattr * const *nla = cb->data;
struct nft_obj_filter *filter = NULL;
- if (nla[NFTA_OBJ_TABLE] || nla[NFTA_OBJ_TYPE]) {
- filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
- if (!filter)
- return -ENOMEM;
+ filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
+ if (!filter)
+ return -ENOMEM;
- if (nla[NFTA_OBJ_TABLE]) {
- filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
- if (!filter->table) {
- kfree(filter);
- return -ENOMEM;
- }
+ if (nla[NFTA_OBJ_TABLE]) {
+ filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
+ if (!filter->table) {
+ kfree(filter);
+ return -ENOMEM;
}
-
- if (nla[NFTA_OBJ_TYPE])
- filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
}
+ if (nla[NFTA_OBJ_TYPE])
+ filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
+
cb->data = filter;
return 0;
}
@@ -7789,10 +7785,8 @@ static int nf_tables_dump_obj_done(struct netlink_callback *cb)
{
struct nft_obj_filter *filter = cb->data;
- if (filter) {
- kfree(filter->table);
- kfree(filter);
- }
+ kfree(filter->table);
+ kfree(filter);
return 0;
}
--
2.41.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [nf-next PATCH 3/6] netfilter: nf_tables: A better name for nft_obj_filter
2023-10-20 17:34 [nf-next PATCH 0/6] Refactor nft_obj_filter into nft_obj_dump_ctx Phil Sutter
2023-10-20 17:34 ` [nf-next PATCH 1/6] netfilter: nf_tables: Drop pointless memset in nf_tables_dump_obj Phil Sutter
2023-10-20 17:34 ` [nf-next PATCH 2/6] netfilter: nf_tables: Unconditionally allocate nft_obj_filter Phil Sutter
@ 2023-10-20 17:34 ` Phil Sutter
2023-10-20 17:34 ` [nf-next PATCH 4/6] netfilter: nf_tables: Carry s_idx in nft_obj_dump_ctx Phil Sutter
` (2 subsequent siblings)
5 siblings, 0 replies; 8+ messages in thread
From: Phil Sutter @ 2023-10-20 17:34 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Name it for what it is supposed to become, a real nft_obj_dump_ctx. No
functional change intended.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
net/netfilter/nf_tables_api.c | 32 ++++++++++++++++----------------
1 file changed, 16 insertions(+), 16 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 0dfac634d21f..20b49b11938a 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -7689,7 +7689,7 @@ static void audit_log_obj_reset(const struct nft_table *table,
kfree(buf);
}
-struct nft_obj_filter {
+struct nft_obj_dump_ctx {
char *table;
u32 type;
};
@@ -7699,7 +7699,7 @@ static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
const struct nft_table *table;
unsigned int idx = 0, s_idx = cb->args[0];
- struct nft_obj_filter *filter = cb->data;
+ struct nft_obj_dump_ctx *ctx = cb->data;
struct net *net = sock_net(skb->sk);
int family = nfmsg->nfgen_family;
struct nftables_pernet *nft_net;
@@ -7725,10 +7725,10 @@ static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
goto cont;
if (idx < s_idx)
goto cont;
- if (filter->table && strcmp(filter->table, table->name))
+ if (ctx->table && strcmp(ctx->table, table->name))
goto cont;
- if (filter->type != NFT_OBJECT_UNSPEC &&
- obj->ops->type->type != filter->type)
+ if (ctx->type != NFT_OBJECT_UNSPEC &&
+ obj->ops->type->type != ctx->type)
goto cont;
rc = nf_tables_fill_obj_info(skb, net,
@@ -7760,33 +7760,33 @@ static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
static int nf_tables_dump_obj_start(struct netlink_callback *cb)
{
const struct nlattr * const *nla = cb->data;
- struct nft_obj_filter *filter = NULL;
+ struct nft_obj_dump_ctx *ctx = NULL;
- filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
- if (!filter)
+ ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC);
+ if (!ctx)
return -ENOMEM;
if (nla[NFTA_OBJ_TABLE]) {
- filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
- if (!filter->table) {
- kfree(filter);
+ ctx->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
+ if (!ctx->table) {
+ kfree(ctx);
return -ENOMEM;
}
}
if (nla[NFTA_OBJ_TYPE])
- filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
+ ctx->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
- cb->data = filter;
+ cb->data = ctx;
return 0;
}
static int nf_tables_dump_obj_done(struct netlink_callback *cb)
{
- struct nft_obj_filter *filter = cb->data;
+ struct nft_obj_dump_ctx *ctx = cb->data;
- kfree(filter->table);
- kfree(filter);
+ kfree(ctx->table);
+ kfree(ctx);
return 0;
}
--
2.41.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [nf-next PATCH 4/6] netfilter: nf_tables: Carry s_idx in nft_obj_dump_ctx
2023-10-20 17:34 [nf-next PATCH 0/6] Refactor nft_obj_filter into nft_obj_dump_ctx Phil Sutter
` (2 preceding siblings ...)
2023-10-20 17:34 ` [nf-next PATCH 3/6] netfilter: nf_tables: A better name for nft_obj_filter Phil Sutter
@ 2023-10-20 17:34 ` Phil Sutter
2023-10-20 17:34 ` [nf-next PATCH 5/6] netfilter: nf_tables: nft_obj_filter fits into cb->ctx Phil Sutter
2023-10-20 17:34 ` [nf-next PATCH 6/6] netfilter: nf_tables: Carry reset boolean in nft_obj_dump_ctx Phil Sutter
5 siblings, 0 replies; 8+ messages in thread
From: Phil Sutter @ 2023-10-20 17:34 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Prep work for moving the context into struct netlink_callback scratch
area.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
net/netfilter/nf_tables_api.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 20b49b11938a..a6877544f936 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -7690,6 +7690,7 @@ static void audit_log_obj_reset(const struct nft_table *table,
}
struct nft_obj_dump_ctx {
+ unsigned int s_idx;
char *table;
u32 type;
};
@@ -7697,14 +7698,14 @@ struct nft_obj_dump_ctx {
static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
{
const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
- const struct nft_table *table;
- unsigned int idx = 0, s_idx = cb->args[0];
struct nft_obj_dump_ctx *ctx = cb->data;
struct net *net = sock_net(skb->sk);
int family = nfmsg->nfgen_family;
struct nftables_pernet *nft_net;
+ const struct nft_table *table;
unsigned int entries = 0;
struct nft_object *obj;
+ unsigned int idx = 0;
bool reset = false;
int rc = 0;
@@ -7723,7 +7724,7 @@ static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
list_for_each_entry_rcu(obj, &table->objects, list) {
if (!nft_is_active(net, obj))
goto cont;
- if (idx < s_idx)
+ if (idx < ctx->s_idx)
goto cont;
if (ctx->table && strcmp(ctx->table, table->name))
goto cont;
@@ -7753,7 +7754,7 @@ static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
}
rcu_read_unlock();
- cb->args[0] = idx;
+ ctx->s_idx = idx;
return skb->len;
}
--
2.41.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [nf-next PATCH 5/6] netfilter: nf_tables: nft_obj_filter fits into cb->ctx
2023-10-20 17:34 [nf-next PATCH 0/6] Refactor nft_obj_filter into nft_obj_dump_ctx Phil Sutter
` (3 preceding siblings ...)
2023-10-20 17:34 ` [nf-next PATCH 4/6] netfilter: nf_tables: Carry s_idx in nft_obj_dump_ctx Phil Sutter
@ 2023-10-20 17:34 ` Phil Sutter
2023-10-20 17:34 ` [nf-next PATCH 6/6] netfilter: nf_tables: Carry reset boolean in nft_obj_dump_ctx Phil Sutter
5 siblings, 0 replies; 8+ messages in thread
From: Phil Sutter @ 2023-10-20 17:34 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
No need to allocate it if one may just use struct netlink_callback's
scratch area for it.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
net/netfilter/nf_tables_api.c | 16 +++++-----------
1 file changed, 5 insertions(+), 11 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index a6877544f936..9523f1f3a598 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -7698,7 +7698,7 @@ struct nft_obj_dump_ctx {
static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
{
const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
- struct nft_obj_dump_ctx *ctx = cb->data;
+ struct nft_obj_dump_ctx *ctx = (void *)cb->ctx;
struct net *net = sock_net(skb->sk);
int family = nfmsg->nfgen_family;
struct nftables_pernet *nft_net;
@@ -7760,34 +7760,28 @@ static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
static int nf_tables_dump_obj_start(struct netlink_callback *cb)
{
+ struct nft_obj_dump_ctx *ctx = (void *)cb->ctx;
const struct nlattr * const *nla = cb->data;
- struct nft_obj_dump_ctx *ctx = NULL;
- ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC);
- if (!ctx)
- return -ENOMEM;
+ BUILD_BUG_ON(sizeof(*ctx) > sizeof(cb->ctx));
if (nla[NFTA_OBJ_TABLE]) {
ctx->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
- if (!ctx->table) {
- kfree(ctx);
+ if (!ctx->table)
return -ENOMEM;
- }
}
if (nla[NFTA_OBJ_TYPE])
ctx->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
- cb->data = ctx;
return 0;
}
static int nf_tables_dump_obj_done(struct netlink_callback *cb)
{
- struct nft_obj_dump_ctx *ctx = cb->data;
+ struct nft_obj_dump_ctx *ctx = (void *)cb->ctx;
kfree(ctx->table);
- kfree(ctx);
return 0;
}
--
2.41.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [nf-next PATCH 6/6] netfilter: nf_tables: Carry reset boolean in nft_obj_dump_ctx
2023-10-20 17:34 [nf-next PATCH 0/6] Refactor nft_obj_filter into nft_obj_dump_ctx Phil Sutter
` (4 preceding siblings ...)
2023-10-20 17:34 ` [nf-next PATCH 5/6] netfilter: nf_tables: nft_obj_filter fits into cb->ctx Phil Sutter
@ 2023-10-20 17:34 ` Phil Sutter
5 siblings, 0 replies; 8+ messages in thread
From: Phil Sutter @ 2023-10-20 17:34 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Relieve the dump callback from having to inspect nlmsg_type upon each
call, just do it once at start of the dump.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
net/netfilter/nf_tables_api.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 9523f1f3a598..29298ed0252d 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -7693,6 +7693,7 @@ struct nft_obj_dump_ctx {
unsigned int s_idx;
char *table;
u32 type;
+ bool reset;
};
static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
@@ -7706,12 +7707,8 @@ static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
unsigned int entries = 0;
struct nft_object *obj;
unsigned int idx = 0;
- bool reset = false;
int rc = 0;
- if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
- reset = true;
-
rcu_read_lock();
nft_net = nft_pernet(net);
cb->seq = READ_ONCE(nft_net->base_seq);
@@ -7738,7 +7735,7 @@ static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
NFT_MSG_NEWOBJ,
NLM_F_MULTI | NLM_F_APPEND,
table->family, table,
- obj, reset);
+ obj, ctx->reset);
if (rc < 0)
break;
@@ -7747,7 +7744,7 @@ static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
cont:
idx++;
}
- if (reset && entries)
+ if (ctx->reset && entries)
audit_log_obj_reset(table, nft_net->base_seq, entries);
if (rc < 0)
break;
@@ -7774,6 +7771,9 @@ static int nf_tables_dump_obj_start(struct netlink_callback *cb)
if (nla[NFTA_OBJ_TYPE])
ctx->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
+ if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
+ ctx->reset = true;
+
return 0;
}
--
2.41.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [nf-next PATCH 1/6] netfilter: nf_tables: Drop pointless memset in nf_tables_dump_obj
2023-10-20 17:34 ` [nf-next PATCH 1/6] netfilter: nf_tables: Drop pointless memset in nf_tables_dump_obj Phil Sutter
@ 2023-10-25 9:48 ` Pablo Neira Ayuso
0 siblings, 0 replies; 8+ messages in thread
From: Pablo Neira Ayuso @ 2023-10-25 9:48 UTC (permalink / raw)
To: Phil Sutter; +Cc: netfilter-devel
On Fri, Oct 20, 2023 at 07:34:28PM +0200, Phil Sutter wrote:
> The code does not make use of cb->args fields past the first one, no
> need to zero them.
Series applied to nf-next, thanks
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2023-10-25 9:48 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-10-20 17:34 [nf-next PATCH 0/6] Refactor nft_obj_filter into nft_obj_dump_ctx Phil Sutter
2023-10-20 17:34 ` [nf-next PATCH 1/6] netfilter: nf_tables: Drop pointless memset in nf_tables_dump_obj Phil Sutter
2023-10-25 9:48 ` Pablo Neira Ayuso
2023-10-20 17:34 ` [nf-next PATCH 2/6] netfilter: nf_tables: Unconditionally allocate nft_obj_filter Phil Sutter
2023-10-20 17:34 ` [nf-next PATCH 3/6] netfilter: nf_tables: A better name for nft_obj_filter Phil Sutter
2023-10-20 17:34 ` [nf-next PATCH 4/6] netfilter: nf_tables: Carry s_idx in nft_obj_dump_ctx Phil Sutter
2023-10-20 17:34 ` [nf-next PATCH 5/6] netfilter: nf_tables: nft_obj_filter fits into cb->ctx Phil Sutter
2023-10-20 17:34 ` [nf-next PATCH 6/6] netfilter: nf_tables: Carry reset boolean in nft_obj_dump_ctx Phil Sutter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).