From patchwork Sun Dec 30 23:23:13 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: [1/4] netfilter: nf_tables: rise maximum number of expressions from 12 to 128 Date: Sun, 30 Dec 2012 13:23:13 -0000 From: Pablo Neira X-Patchwork-Id: 208808 Message-Id: <1356909796-3143-1-git-send-email-pablo@netfilter.org> To: netfilter-devel@vger.kernel.org Cc: kaber@trash.net From: Pablo Neira Ayuso Use kmalloc'ed memory area to store the parsed expressions instead of using the stack. This allows us to raise the maximum number of expressions in one rule. In 64-bits arch, this requires 17408 bytes for our allocated struct nft_expr_info. Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nf_tables_api.c | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index fc596b5..a847375 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -1332,7 +1332,9 @@ static void nf_tables_rule_destroy(struct nft_rule *rule) call_rcu(&rule->rcu_head, nf_tables_rcu_rule_destroy); } -#define NFT_RULE_MAXEXPRS 12 +#define NFT_RULE_MAXEXPRS 128 + +static struct nft_expr_info *info; static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb, const struct nlmsghdr *nlh, @@ -1343,7 +1345,6 @@ static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb, struct nft_table *table; struct nft_chain *chain; struct nft_rule *rule, *old_rule = NULL; - struct nft_expr_info info[NFT_RULE_MAXEXPRS]; struct nft_expr *expr; struct nft_ctx ctx; struct nlattr *tmp; @@ -2859,22 +2860,30 @@ static int __init nf_tables_module_init(void) { int err; + info = kmalloc(sizeof(struct nft_expr_info) * NFT_RULE_MAXEXPRS, + GFP_KERNEL); + if (info == NULL) { + err = -ENOMEM; + goto err1; + } + err = nf_tables_core_module_init(); if (err < 0) - goto err1; + goto err2; err = nfnetlink_subsys_register(&nf_tables_subsys); if (err < 0) - goto err2; + goto err3; nft_register_chain_type(&filter_ipv4); nft_register_chain_type(&filter_ipv6); pr_info("nf_tables: (c) 2007-2009 Patrick McHardy \n"); return 0; - -err2: +err3: nf_tables_core_module_exit(); +err2: + kfree(info); err1: return err; } @@ -2885,6 +2894,7 @@ static void __exit nf_tables_module_exit(void) nft_unregister_chain_type(&filter_ipv6); nfnetlink_subsys_unregister(&nf_tables_subsys); nf_tables_core_module_exit(); + kfree(info); } module_init(nf_tables_module_init);