nfbz 621 - 3 kernel patches

nfbz 621 - 3 kernel patches

[Jan Engelhardt]

Hi,


a few simple commits that turned up while processing NF bug 621.
Thanks for taking care of them :)


The following changes since commit 22763c5cf3690a681551162c15d34d935308c8d7:
  Linus Torvalds (1):
        Linux 2.6.32

are available in the git repository at:

  git://dev.medozas.de/linux master

Jan Engelhardt (3):
      netfilter: xt_recent: save 8 bytes per htable
      netfilter: xtables: do not grab random bytes at __init
      netfilter: xtables: obtain random bytes earlier, in checkentry

 net/netfilter/xt_NFQUEUE.c   |    6 +++++-
 net/netfilter/xt_RATEEST.c   |    7 ++++++-
 net/netfilter/xt_connlimit.c |   17 ++++++-----------
 net/netfilter/xt_hashlimit.c |    8 ++++----
 net/netfilter/xt_recent.c    |   20 ++++++++------------
 5 files changed, 29 insertions(+), 29 deletions(-)

[PATCH 1/3] netfilter: xt_recent: save 8 bytes per htable

[Jan Engelhardt]

Moving rnd_inited into the hole after the uint8 lets go of the uint32
rnd_inited was using, plus the padding that would follow the int group.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 net/netfilter/xt_hashlimit.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index dd16e40..5bdc1fb 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -81,13 +81,13 @@ struct xt_hashlimit_htable {
 	struct hlist_node node;		/* global list of all htables */
 	atomic_t use;
 	u_int8_t family;
+	bool rnd_initialized;
 
 	struct hashlimit_cfg1 cfg;	/* config */
 
 	/* used internally */
 	spinlock_t lock;		/* lock for list_head */
 	u_int32_t rnd;			/* random seed for hash */
-	int rnd_initialized;
 	unsigned int count;		/* number entries in table */
 	struct timer_list timer;	/* timer for gc */
 
@@ -150,7 +150,7 @@ dsthash_alloc_init(struct xt_hashlimit_htable *ht,
 	 * the first hashtable entry */
 	if (!ht->rnd_initialized) {
 		get_random_bytes(&ht->rnd, sizeof(ht->rnd));
-		ht->rnd_initialized = 1;
+		ht->rnd_initialized = true;
 	}
 
 	if (ht->cfg.max && ht->count >= ht->cfg.max) {
@@ -235,7 +235,7 @@ static int htable_create_v0(struct xt_hashlimit_info *minfo, u_int8_t family)
 	atomic_set(&hinfo->use, 1);
 	hinfo->count = 0;
 	hinfo->family = family;
-	hinfo->rnd_initialized = 0;
+	hinfo->rnd_initialized = false;
 	spin_lock_init(&hinfo->lock);
 	hinfo->pde = proc_create_data(minfo->name, 0,
 		(family == NFPROTO_IPV4) ?
@@ -296,7 +296,7 @@ static int htable_create(struct xt_hashlimit_mtinfo1 *minfo, u_int8_t family)
 	atomic_set(&hinfo->use, 1);
 	hinfo->count = 0;
 	hinfo->family = family;
-	hinfo->rnd_initialized = 0;
+	hinfo->rnd_initialized = false;
 	spin_lock_init(&hinfo->lock);
 
 	hinfo->pde = proc_create_data(minfo->name, 0,
-- 
1.6.5.3

[PATCH 2/3] netfilter: xtables: do not grab random bytes at __init

[Jan Engelhardt]

References: http://bugzilla.netfilter.org/show_bug.cgi?id=621

"It is deliberately not done in the init function, since we might not
have sufficient random while booting."

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 net/netfilter/xt_NFQUEUE.c |    6 +++++-
 net/netfilter/xt_RATEEST.c |    7 ++++++-
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/xt_NFQUEUE.c b/net/netfilter/xt_NFQUEUE.c
index f28f6a5..12dcd70 100644
--- a/net/netfilter/xt_NFQUEUE.c
+++ b/net/netfilter/xt_NFQUEUE.c
@@ -28,6 +28,7 @@ MODULE_ALIAS("ip6t_NFQUEUE");
 MODULE_ALIAS("arpt_NFQUEUE");
 
 static u32 jhash_initval __read_mostly;
+static bool rnd_inited __read_mostly;
 
 static unsigned int
 nfqueue_tg(struct sk_buff *skb, const struct xt_target_param *par)
@@ -90,6 +91,10 @@ static bool nfqueue_tg_v1_check(const struct xt_tgchk_param *par)
 	const struct xt_NFQ_info_v1 *info = par->targinfo;
 	u32 maxid;
 
+	if (unlikely(!rnd_inited)) {
+		get_random_bytes(&jhash_initval, sizeof(jhash_initval));
+		rnd_inited = true;
+	}
 	if (info->queues_total == 0) {
 		pr_err("NFQUEUE: number of total queues is 0\n");
 		return false;
@@ -135,7 +140,6 @@ static struct xt_target nfqueue_tg_reg[] __read_mostly = {
 
 static int __init nfqueue_tg_init(void)
 {
-	get_random_bytes(&jhash_initval, sizeof(jhash_initval));
 	return xt_register_targets(nfqueue_tg_reg, ARRAY_SIZE(nfqueue_tg_reg));
 }
 
diff --git a/net/netfilter/xt_RATEEST.c b/net/netfilter/xt_RATEEST.c
index d80b819..87ae97e 100644
--- a/net/netfilter/xt_RATEEST.c
+++ b/net/netfilter/xt_RATEEST.c
@@ -23,6 +23,7 @@ static DEFINE_MUTEX(xt_rateest_mutex);
 #define RATEEST_HSIZE	16
 static struct hlist_head rateest_hash[RATEEST_HSIZE] __read_mostly;
 static unsigned int jhash_rnd __read_mostly;
+static bool rnd_inited __read_mostly;
 
 static unsigned int xt_rateest_hash(const char *name)
 {
@@ -93,6 +94,11 @@ static bool xt_rateest_tg_checkentry(const struct xt_tgchk_param *par)
 		struct gnet_estimator	est;
 	} cfg;
 
+	if (unlikely(!rnd_inited)) {
+		get_random_bytes(&jhash_rnd, sizeof(jhash_rnd));
+		rnd_inited = true;
+	}
+
 	est = xt_rateest_lookup(info->name);
 	if (est) {
 		/*
@@ -164,7 +170,6 @@ static int __init xt_rateest_tg_init(void)
 	for (i = 0; i < ARRAY_SIZE(rateest_hash); i++)
 		INIT_HLIST_HEAD(&rateest_hash[i]);
 
-	get_random_bytes(&jhash_rnd, sizeof(jhash_rnd));
 	return xt_register_target(&xt_rateest_tg_reg);
 }
 
-- 
1.6.5.3

[PATCH 3/3] netfilter: xtables: obtain random bytes earlier, in checkentry

[Jan Engelhardt]

We can initialize the random hash bytes on checkentry. This is
preferable since it is outside the hot path.

Reference: http://bugzilla.netfilter.org/show_bug.cgi?id=621
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 net/netfilter/xt_connlimit.c |   17 ++++++-----------
 net/netfilter/xt_recent.c    |   20 ++++++++------------
 2 files changed, 14 insertions(+), 23 deletions(-)

diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c
index 38f03f7..8103bef 100644
--- a/net/netfilter/xt_connlimit.c
+++ b/net/netfilter/xt_connlimit.c
@@ -40,15 +40,11 @@ struct xt_connlimit_data {
 	spinlock_t lock;
 };
 
-static u_int32_t connlimit_rnd;
-static bool connlimit_rnd_inited;
+static u_int32_t connlimit_rnd __read_mostly;
+static bool connlimit_rnd_inited __read_mostly;
 
 static inline unsigned int connlimit_iphash(__be32 addr)
 {
-	if (unlikely(!connlimit_rnd_inited)) {
-		get_random_bytes(&connlimit_rnd, sizeof(connlimit_rnd));
-		connlimit_rnd_inited = true;
-	}
 	return jhash_1word((__force __u32)addr, connlimit_rnd) & 0xFF;
 }
 
@@ -59,11 +55,6 @@ connlimit_iphash6(const union nf_inet_addr *addr,
 	union nf_inet_addr res;
 	unsigned int i;
 
-	if (unlikely(!connlimit_rnd_inited)) {
-		get_random_bytes(&connlimit_rnd, sizeof(connlimit_rnd));
-		connlimit_rnd_inited = true;
-	}
-
 	for (i = 0; i < ARRAY_SIZE(addr->ip6); ++i)
 		res.ip6[i] = addr->ip6[i] & mask->ip6[i];
 
@@ -226,6 +217,10 @@ static bool connlimit_mt_check(const struct xt_mtchk_param *par)
 	struct xt_connlimit_info *info = par->matchinfo;
 	unsigned int i;
 
+	if (unlikely(!connlimit_rnd_inited)) {
+		get_random_bytes(&connlimit_rnd, sizeof(connlimit_rnd));
+		connlimit_rnd_inited = true;
+	}
 	if (nf_ct_l3proto_try_module_get(par->family) < 0) {
 		printk(KERN_WARNING "cannot load conntrack support for "
 		       "address family %u\n", par->family);
diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c
index eb0ceb8..2176b1b 100644
--- a/net/netfilter/xt_recent.c
+++ b/net/netfilter/xt_recent.c
@@ -90,25 +90,17 @@ static struct proc_dir_entry *recent_proc_dir;
 static const struct file_operations recent_old_fops, recent_mt_fops;
 #endif
 
-static u_int32_t hash_rnd;
-static bool hash_rnd_initted;
+static u_int32_t hash_rnd __read_mostly;
+static bool hash_rnd_inited __read_mostly;
 
-static unsigned int recent_entry_hash4(const union nf_inet_addr *addr)
+static inline unsigned int recent_entry_hash4(const union nf_inet_addr *addr)
 {
-	if (!hash_rnd_initted) {
-		get_random_bytes(&hash_rnd, sizeof(hash_rnd));
-		hash_rnd_initted = true;
-	}
 	return jhash_1word((__force u32)addr->ip, hash_rnd) &
 	       (ip_list_hash_size - 1);
 }
 
-static unsigned int recent_entry_hash6(const union nf_inet_addr *addr)
+static inline unsigned int recent_entry_hash6(const union nf_inet_addr *addr)
 {
-	if (!hash_rnd_initted) {
-		get_random_bytes(&hash_rnd, sizeof(hash_rnd));
-		hash_rnd_initted = true;
-	}
 	return jhash2((u32 *)addr->ip6, ARRAY_SIZE(addr->ip6), hash_rnd) &
 	       (ip_list_hash_size - 1);
 }
@@ -287,6 +279,10 @@ static bool recent_mt_check(const struct xt_mtchk_param *par)
 	unsigned i;
 	bool ret = false;
 
+	if (unlikely(!hash_rnd_inited)) {
+		get_random_bytes(&hash_rnd, sizeof(hash_rnd));
+		hash_rnd_inited = true;
+	}
 	if (hweight8(info->check_set &
 		     (XT_RECENT_SET | XT_RECENT_REMOVE |
 		      XT_RECENT_CHECK | XT_RECENT_UPDATE)) != 1)
-- 
1.6.5.3

Re: nfbz 621 - 3 kernel patches

[Patrick McHardy]

Jan Engelhardt wrote:
> a few simple commits that turned up while processing NF bug 621.
> Thanks for taking care of them :)
> 
> 
> The following changes since commit 22763c5cf3690a681551162c15d34d935308c8d7:
>   Linus Torvalds (1):
>         Linux 2.6.32
> 
> are available in the git repository at:
> 
>   git://dev.medozas.de/linux master

I'll apply those once the net-next tree opens up.

Re: [PATCH 1/3] netfilter: xt_recent: save 8 bytes per htable

[Patrick McHardy]

Jan Engelhardt wrote:
> Moving rnd_inited into the hole after the uint8 lets go of the uint32
> rnd_inited was using, plus the padding that would follow the int group.

Applied, thanks Jan.

Re: [PATCH 2/3] netfilter: xtables: do not grab random bytes at __init

[Patrick McHardy]

Jan Engelhardt wrote:
> References: http://bugzilla.netfilter.org/show_bug.cgi?id=621
> 
> "It is deliberately not done in the init function, since we might not
> have sufficient random while booting."

Applied, thanks.

Re: [PATCH 3/3] netfilter: xtables: obtain random bytes earlier, in checkentry

[Patrick McHardy]

Jan Engelhardt wrote:
> We can initialize the random hash bytes on checkentry. This is
> preferable since it is outside the hot path.
> 
> Reference: http://bugzilla.netfilter.org/show_bug.cgi?id=621

Also applied, thanks.

Re: nfbz 621 - 3 kernel patches

[Jan Engelhardt]

On Monday 2009-12-14 14:51, Patrick McHardy wrote:
>Jan Engelhardt wrote:
>> a few simple commits that turned up while processing NF bug 621.
>> Thanks for taking care of them :)
>> 
>> The following changes since commit 22763c5cf3690a681551162c15d34d935308c8d7:
>>   Linus Torvalds (1):
>>         Linux 2.6.32
>> 
>> are available in the git repository at:
>> 
>>   git://dev.medozas.de/linux master
>
>I'll apply those once the net-next tree opens up.

Is it open already? :)

Re: nfbz 621 - 3 kernel patches

[Patrick McHardy]

Jan Engelhardt wrote:
> On Monday 2009-12-14 14:51, Patrick McHardy wrote:
>> Jan Engelhardt wrote:
>>> a few simple commits that turned up while processing NF bug 621.
>>> Thanks for taking care of them :)
>>>
>>> The following changes since commit 22763c5cf3690a681551162c15d34d935308c8d7:
>>>   Linus Torvalds (1):
>>>         Linux 2.6.32
>>>
>>> are available in the git repository at:
>>>
>>>   git://dev.medozas.de/linux master
>> I'll apply those once the net-next tree opens up.
> 
> Is it open already? :)

Yes, but I don't have those patches in my inbox anymore. Please
resend based on nf-next-2.6.git.

Re: nfbz 621 - 3 kernel patches

[Jan Engelhardt]

On Monday 2010-01-25 13:09, Patrick McHardy wrote:
>Jan Engelhardt wrote:
>> On Monday 2009-12-14 14:51, Patrick McHardy wrote:
>>> Jan Engelhardt wrote:
>>>> a few simple commits that turned up while processing NF bug 621.
>>>> Thanks for taking care of them :)
>>>>
>>>> The following changes since commit 22763c5cf3690a681551162c15d34d935308c8d7:
>>>>   Linus Torvalds (1):
>>>>         Linux 2.6.32
>>>>
>>>> are available in the git repository at:
>>>>
>>>>   git://dev.medozas.de/linux master
>>> I'll apply those once the net-next tree opens up.
>> 
>> Is it open already? :)
>
>Yes, but I don't have those patches in my inbox anymore. Please
>resend based on nf-next-2.6.git.

Seems they've already got merged.

Re: nfbz 621 - 3 kernel patches

[Patrick McHardy]

Jan Engelhardt wrote:
> On Monday 2010-01-25 13:09, Patrick McHardy wrote:
>> Jan Engelhardt wrote:
>>> On Monday 2009-12-14 14:51, Patrick McHardy wrote:
>>>> Jan Engelhardt wrote:
>>>>> a few simple commits that turned up while processing NF bug 621.
>>>>> Thanks for taking care of them :)
>>>>>
>>>>> The following changes since commit 22763c5cf3690a681551162c15d34d935308c8d7:
>>>>>   Linus Torvalds (1):
>>>>>         Linux 2.6.32
>>>>>
>>>>> are available in the git repository at:
>>>>>
>>>>>   git://dev.medozas.de/linux master
>>>> I'll apply those once the net-next tree opens up.
>>> Is it open already? :)
>> Yes, but I don't have those patches in my inbox anymore. Please
>> resend based on nf-next-2.6.git.
> 
> Seems they've already got merged.

Ah, right, just as I wrote on the 4th :)