[nf-next,0/2] netfilter: reduce size of hook entry points

Message ID	20171202235848.22737-1-fw@strlen.de
Headers	show Return-Path: <netfilter-devel-owner@vger.kernel.org> From: Florian Westphal <fw@strlen.de> To: <netfilter-devel@vger.kernel.org> Subject: [PATCH nf-next 0/2] netfilter: reduce size of hook entry points Date: Sun, 3 Dec 2017 00:58:46 +0100 Message-Id: <20171202235848.22737-1-fw@strlen.de> Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk
Series	netfilter: reduce size of hook entry points \| expand [nf-next,0/2] netfilter: reduce size of hook entry points [nf-next,1/2] netfilter: reduce size of hook entry point locations [nf-next,2/2] netfilter: reduce hook array sizes to what is needed

Message ID

20171202235848.22737-1-fw@strlen.de

Headers

From: Florian Westphal <fw@strlen.de>
To: <netfilter-devel@vger.kernel.org>
Subject: [PATCH nf-next 0/2] netfilter: reduce size of hook entry points
Date: Sun,  3 Dec 2017 00:58:46 +0100
Message-Id: <20171202235848.22737-1-fw@strlen.de>
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk

Series

netfilter: reduce size of hook entry points | expand

Message

Florian Westphal Dec. 2, 2017, 11:58 p.m. UTC

struct net contains:

struct nf_hook_entries __rcu *hooks[NFPROTO_NUMPROTO][NF_MAX_HOOKS];

where NFPROTO_NUMPROTO = 13 and NF_MAX_HOOKS = 8.

... and that needs a *lot* more space than what we really need.
We only need hooks for arp, bridge, ipv4, ipv6 and decnet.

Arp only has 3 hook types, decnet has 7, all others have 5.
So replace this with dedicated arrays of the correct size to save
some space.

Changes since RFC:
 - bridge only needs 5, not 6 hooks (BROUTE isn't a real hookpoint)
 - Use run-time check to reject register requests for hook types that
   don't fit the array size.
   RFC tried to use BUILD_BUG_ON checks in nf_hook(), but that breaks build
   on some older gcc releases.

 include/linux/netfilter.h       |   30 ++++++++++++++++++--
 include/net/netns/netfilter.h   |   15 +++++++++-
 net/bridge/br_netfilter_hooks.c |    2 -
 net/netfilter/core.c            |   60 ++++++++++++++++++++++++++++++++++------
 net/netfilter/nf_queue.c        |   21 ++++++++++++--
 5 files changed, 114 insertions(+), 14 deletions(-)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

Pablo Neira Ayuso Dec. 6, 2017, 8:20 a.m. UTC | #1

On Sun, Dec 03, 2017 at 12:58:46AM +0100, Florian Westphal wrote:
> struct net contains:
> 
> struct nf_hook_entries __rcu *hooks[NFPROTO_NUMPROTO][NF_MAX_HOOKS];
> 
> where NFPROTO_NUMPROTO = 13 and NF_MAX_HOOKS = 8.
> 
> ... and that needs a *lot* more space than what we really need.
> We only need hooks for arp, bridge, ipv4, ipv6 and decnet.
> 
> Arp only has 3 hook types, decnet has 7, all others have 5.
> So replace this with dedicated arrays of the correct size to save
> some space.

Also applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html