From patchwork Wed Feb 28 22:19:41 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yi-Hung Wei <yihung.wei@gmail.com>
X-Patchwork-Id: 879455
X-Patchwork-Delegate: pablo@netfilter.org
Return-Path: <netfilter-devel-owner@vger.kernel.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netfilter-devel-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=fail (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="heUrLukc"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 3zs94l5QPZz9s2S
	for <incoming@patchwork.ozlabs.org>;
	Thu,  1 Mar 2018 09:20:55 +1100 (AEDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S935297AbeB1WUy (ORCPT <rfc822;incoming@patchwork.ozlabs.org>);
	Wed, 28 Feb 2018 17:20:54 -0500
Received: from mail-pg0-f68.google.com ([74.125.83.68]:42558 "EHLO
	mail-pg0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S935290AbeB1WUx (ORCPT
	<rfc822;netfilter-devel@vger.kernel.org>);
	Wed, 28 Feb 2018 17:20:53 -0500
Received: by mail-pg0-f68.google.com with SMTP id y8so1497562pgr.9
	for <netfilter-devel@vger.kernel.org>;
	Wed, 28 Feb 2018 14:20:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id;
	bh=CAK63cassPLJ1+b2djEyo0XINk2sRAkIUoTQ1QZRNzw=;
	b=heUrLukcUjUx5i9Ir7lpjnuXgz99G49yjng4rNoy5m9KdCX2ec0iHc6xP6k8UWcQDR
	pFQKryHIJScgFO+ioql48q60NRwd55+P/p6nh8stB3XOXppy7fOAMZ4B3DZgUbFySf5e
	B8fbJZwUF5phfAJrvpQOg/84aNQu83TCQKx2T/4+oKD4vgQmKdStkIBKVz1b0anZDXr5
	4iBKLpolBHc1fQHQjdBdob0hZZ9nVJwXi38ou0dpfysvan2xaM//euU0CDzE0YOkXSQc
	wzkG29wa45Lr9bNVKI9FlW0fdiy7j51QJNPlhS3s3Gh+yo/de28ugP7Bbx0ev6G2jOzP
	RLTA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=CAK63cassPLJ1+b2djEyo0XINk2sRAkIUoTQ1QZRNzw=;
	b=qqCnjl/dwOFZlCtdfsY8nStGtdvhBmsjinnAWlqc8twnSHLRc8VuaAM1j1QZ6Hf144
	Xyw8dsQs095DfZmRzktoBBfzuNSo0LftaEQzR5xDOxVU4z13LYkOfHdtqPXPS278SZwf
	qZH9EydNgfkJ9C+yuux3XL7Setk7qUbCuaXCEZrkWTOzgSjjAizNkaw+Tsvs+3/BWtHj
	cAxRAWAzupU3ySBxp+MY+9X3/oK6BaBTf3wwYce1mq/vesjSmBZm6z751IbrsbaMXGOQ
	dyNFL1PrFeSmDyOSjJL2N2OkNW3M8VyrEA2SF28Z+P03pcDCTd4x+SzxZAFZCCRW+H3L
	xijQ==
X-Gm-Message-State: APf1xPCcIUhYovVB+Y4E9vAXi4a5zq/HIdZd4tH+T0bXJs9rqv1yhAgd
	0jADi8uG+E9lLe/Zzc6X2g8=
X-Google-Smtp-Source: 
 AG47ELvvCALoBdnXs5icFRFUcfJmSIBmglAS9lvuHV88HjQR0VZL+aYruOMG/zl5hVlT3yInh97OIg==
X-Received: by 10.98.49.135 with SMTP id x129mr5717106pfx.75.1519856452989;
	Wed, 28 Feb 2018 14:20:52 -0800 (PST)
Received: from Husky.eng.vmware.com ([66.170.99.1])
	by smtp.gmail.com with ESMTPSA id
	65sm4327575pgh.0.2018.02.28.14.20.51
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Wed, 28 Feb 2018 14:20:51 -0800 (PST)
From: Yi-Hung Wei <yihung.wei@gmail.com>
To: fw@strlen.de, netfilter-devel@vger.kernel.org
Cc: Yi-Hung Wei <yihung.wei@gmail.com>
Subject: [PATCH nf-next 1/2] netfilter: nf_conncount: Refactor nf_conncount
Date: Wed, 28 Feb 2018 14:19:41 -0800
Message-Id: <1519856382-40212-1-git-send-email-yihung.wei@gmail.com>
X-Mailer: git-send-email 2.7.4
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk
List-ID: <netfilter-devel.vger.kernel.org>
X-Mailing-List: netfilter-devel@vger.kernel.org

This patch contains two parts.

1. Remove parameter 'family' in nf_conncount_count() and count_tree().
Before commit 625c556118f3 ("netfilter: connlimit: split xt_connlimit
into front and backend"), 'family' was used to determine the type
of nf_inet_addr, but the parameter is not useful after that commit.

2. Move nf_ct_netns_get/put() to the user of nf_conncount.
Since nf_conncount now supports general keys, if the key is not related
to a particular NFPROTO_*, then it is not necessary to do
nf_ct_netns_get/put() in nf_conncount.

Signed-off-by: Yi-Hung Wei <yihung.wei@gmail.com>
---
 include/net/netfilter/nf_conntrack_count.h |  6 ++----
 net/netfilter/nf_conncount.c               | 19 ++++---------------
 net/netfilter/xt_connlimit.c               | 16 ++++++++++++----
 3 files changed, 18 insertions(+), 23 deletions(-)

diff --git a/include/net/netfilter/nf_conntrack_count.h b/include/net/netfilter/nf_conntrack_count.h
index adf8db44cf86..c4f33f762ceb 100644
--- a/include/net/netfilter/nf_conntrack_count.h
+++ b/include/net/netfilter/nf_conntrack_count.h
@@ -3,15 +3,13 @@
 
 struct nf_conncount_data;
 
-struct nf_conncount_data *nf_conncount_init(struct net *net, unsigned int family,
+struct nf_conncount_data *nf_conncount_init(struct net *net,
 					    unsigned int keylen);
-void nf_conncount_destroy(struct net *net, unsigned int family,
-			  struct nf_conncount_data *data);
+void nf_conncount_destroy(struct nf_conncount_data *data);
 
 unsigned int nf_conncount_count(struct net *net,
 				struct nf_conncount_data *data,
 				const u32 *key,
-				unsigned int family,
 				const struct nf_conntrack_tuple *tuple,
 				const struct nf_conntrack_zone *zone);
 #endif
diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c
index 6d65389e308f..91b13142631e 100644
--- a/net/netfilter/nf_conncount.c
+++ b/net/netfilter/nf_conncount.c
@@ -158,7 +158,6 @@ static void tree_nodes_free(struct rb_root *root,
 static unsigned int
 count_tree(struct net *net, struct rb_root *root,
 	   const u32 *key, u8 keylen,
-	   u8 family,
 	   const struct nf_conntrack_tuple *tuple,
 	   const struct nf_conntrack_zone *zone)
 {
@@ -246,7 +245,6 @@ count_tree(struct net *net, struct rb_root *root,
 unsigned int nf_conncount_count(struct net *net,
 				struct nf_conncount_data *data,
 				const u32 *key,
-				unsigned int family,
 				const struct nf_conntrack_tuple *tuple,
 				const struct nf_conntrack_zone *zone)
 {
@@ -259,7 +257,7 @@ unsigned int nf_conncount_count(struct net *net,
 
 	spin_lock_bh(&nf_conncount_locks[hash % CONNCOUNT_LOCK_SLOTS]);
 
-	count = count_tree(net, root, key, data->keylen, family, tuple, zone);
+	count = count_tree(net, root, key, data->keylen, tuple, zone);
 
 	spin_unlock_bh(&nf_conncount_locks[hash % CONNCOUNT_LOCK_SLOTS]);
 
@@ -267,11 +265,11 @@ unsigned int nf_conncount_count(struct net *net,
 }
 EXPORT_SYMBOL_GPL(nf_conncount_count);
 
-struct nf_conncount_data *nf_conncount_init(struct net *net, unsigned int family,
+struct nf_conncount_data *nf_conncount_init(struct net *net,
 					    unsigned int keylen)
 {
 	struct nf_conncount_data *data;
-	int ret, i;
+	int i;
 
 	if (keylen % sizeof(u32) ||
 	    keylen / sizeof(u32) > MAX_KEYLEN ||
@@ -284,12 +282,6 @@ struct nf_conncount_data *nf_conncount_init(struct net *net, unsigned int family
 	if (!data)
 		return ERR_PTR(-ENOMEM);
 
-	ret = nf_ct_netns_get(net, family);
-	if (ret < 0) {
-		kfree(data);
-		return ERR_PTR(ret);
-	}
-
 	for (i = 0; i < ARRAY_SIZE(data->root); ++i)
 		data->root[i] = RB_ROOT;
 
@@ -318,13 +310,10 @@ static void destroy_tree(struct rb_root *r)
 	}
 }
 
-void nf_conncount_destroy(struct net *net, unsigned int family,
-			  struct nf_conncount_data *data)
+void nf_conncount_destroy(struct nf_conncount_data *data)
 {
 	unsigned int i;
 
-	nf_ct_netns_put(net, family);
-
 	for (i = 0; i < ARRAY_SIZE(data->root); ++i)
 		destroy_tree(&data->root[i]);
 
diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c
index b1b17b9353e1..805e23155253 100644
--- a/net/netfilter/xt_connlimit.c
+++ b/net/netfilter/xt_connlimit.c
@@ -67,8 +67,8 @@ connlimit_mt(const struct sk_buff *skb, struct xt_action_param *par)
 		key[1] = zone->id;
 	}
 
-	connections = nf_conncount_count(net, info->data, key,
-					 xt_family(par), tuple_ptr, zone);
+	connections = nf_conncount_count(net, info->data, key, tuple_ptr,
+					 zone);
 	if (connections == 0)
 		/* kmalloc failed, drop it entirely */
 		goto hotdrop;
@@ -84,6 +84,7 @@ static int connlimit_mt_check(const struct xt_mtchk_param *par)
 {
 	struct xt_connlimit_info *info = par->matchinfo;
 	unsigned int keylen;
+	int ret;
 
 	keylen = sizeof(u32);
 	if (par->family == NFPROTO_IPV6)
@@ -92,10 +93,16 @@ static int connlimit_mt_check(const struct xt_mtchk_param *par)
 		keylen += sizeof(struct in_addr);
 
 	/* init private data */
-	info->data = nf_conncount_init(par->net, par->family, keylen);
+	info->data = nf_conncount_init(par->net, keylen);
 	if (IS_ERR(info->data))
 		return PTR_ERR(info->data);
 
+	ret = nf_ct_netns_get(par->net, par->family);
+	if (ret < 0) {
+		nf_conncount_destroy(info->data);
+		return ret;
+	}
+
 	return 0;
 }
 
@@ -103,7 +110,8 @@ static void connlimit_mt_destroy(const struct xt_mtdtor_param *par)
 {
 	const struct xt_connlimit_info *info = par->matchinfo;
 
-	nf_conncount_destroy(par->net, par->family, info->data);
+	nf_ct_netns_put(par->net, par->family);
+	nf_conncount_destroy(info->data);
 }
 
 static struct xt_match connlimit_mt_reg __read_mostly = {

From patchwork Wed Feb 28 22:19:42 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yi-Hung Wei <yihung.wei@gmail.com>
X-Patchwork-Id: 879456
X-Patchwork-Delegate: pablo@netfilter.org
Return-Path: <netfilter-devel-owner@vger.kernel.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netfilter-devel-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=fail (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="d08nPHm8"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 3zs94v076Lz9s23
	for <incoming@patchwork.ozlabs.org>;
	Thu,  1 Mar 2018 09:21:03 +1100 (AEDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S935299AbeB1WVC (ORCPT <rfc822;incoming@patchwork.ozlabs.org>);
	Wed, 28 Feb 2018 17:21:02 -0500
Received: from mail-pf0-f193.google.com ([209.85.192.193]:33975 "EHLO
	mail-pf0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S935290AbeB1WVB (ORCPT
	<rfc822;netfilter-devel@vger.kernel.org>);
	Wed, 28 Feb 2018 17:21:01 -0500
Received: by mail-pf0-f193.google.com with SMTP id j20so1596992pfi.1
	for <netfilter-devel@vger.kernel.org>;
	Wed, 28 Feb 2018 14:21:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=PhtRfrC5luE9SMhixq3247k0RBLVu7UgUnGADzWsQOw=;
	b=d08nPHm8sH4+4wmMBe40uDHmzSv8eC7Z5mNrBTRo/yg6ZZmaw11SSni/9RZMnPE3TR
	MJ0c3OVXKIKVYpEMKNOtgGA99E4axIjuCPjrmpyRylBW+X+M6qo2EKpN07LbfrVE1ZXV
	mv6FlBwz2EZpNB0jBKPYfleyHpGeLpIWgQ9YBy57n2sj7Pj6zUoBGA5Exe64tFwRCCc0
	W9fXEmfteZZN0p1QvX9Jms/rkeW9tslGrQhSFJEMHidIKfp7wspuHEAlC0Lqy+nNqEZ2
	OsSt7QRqrEeAbF4j3SJRlHMPtcujKqpu6TqlHynopQ0D/uhw9SDzPcpsO0UUcD1O8Ydo
	+G6Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=PhtRfrC5luE9SMhixq3247k0RBLVu7UgUnGADzWsQOw=;
	b=WFKOX9PAKYxL8QjYi7ZSuzp9wnk77RW75Yzosbaz8Lbnr+ItDCKA9tz1/z19hZ/zYr
	I6xFAdH+F1BZq8PCjWnzUVhBT1k89od8WU0dy7cMitYGG61JMayAuKIHroLQ9QxcM6Jw
	HmLuPSTewB/aCBmKNs2JhZFGwC1G8i9IQljPkYVpXA5RkMDPLd5Zzsx/W0UI5ehl5Qsf
	vGkJdGPI6L7Q+PGRAQei38hlbIgzHIgMLGWCn/evCRtl0UFxE/vyAjI5iyDGbnvSiZty
	wDzN2Z7cLHpbgzShHwDcp9iot2BcnHRe7k9cSF6jvZaLonNvFi3hnC/N4zYR9utuVg8L
	qoGg==
X-Gm-Message-State: APf1xPBzlAH0UxSdUrOnhVQstMfaxw/QjxWK1/BeBR7eydcdFHEap4PT
	GaA6thqpm7g4yC8P0DNuHTg=
X-Google-Smtp-Source: 
 AH8x227/n/dY3yAwUiAc9XzmMdSRAP3WcZKVyXqU335b7VrRfwSWhbqBXr5Izb7+ZM5RzpTJ2d3agw==
X-Received: by 10.98.9.5 with SMTP id e5mr19359198pfd.189.1519856461186;
	Wed, 28 Feb 2018 14:21:01 -0800 (PST)
Received: from Husky.eng.vmware.com ([66.170.99.1])
	by smtp.gmail.com with ESMTPSA id
	65sm4327575pgh.0.2018.02.28.14.20.59
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Wed, 28 Feb 2018 14:21:00 -0800 (PST)
From: Yi-Hung Wei <yihung.wei@gmail.com>
To: fw@strlen.de, netfilter-devel@vger.kernel.org
Cc: Yi-Hung Wei <yihung.wei@gmail.com>
Subject: [PATCH nf-next 2/2] nf_conncount: Support count only use case
Date: Wed, 28 Feb 2018 14:19:42 -0800
Message-Id: <1519856382-40212-2-git-send-email-yihung.wei@gmail.com>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1519856382-40212-1-git-send-email-yihung.wei@gmail.com>
References: <1519856382-40212-1-git-send-email-yihung.wei@gmail.com>
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk
List-ID: <netfilter-devel.vger.kernel.org>
X-Mailing-List: netfilter-devel@vger.kernel.org

Currently, nf_conncount_count() counts the number of connections that
matches key and inserts a conntrack 'tuple' associated with the key into
the accounting data structure.  This patch supports another use case that
only counts the number of connections associated with the key without
providing a 'tuple'.  Therefore, proper changes are made on
nf_conncount_count() to support the case where 'tuple' is NULL.

Signed-off-by: Yi-Hung Wei <yihung.wei@gmail.com>
---
 net/netfilter/nf_conncount.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c
index 91b13142631e..b247e82ae8e2 100644
--- a/net/netfilter/nf_conncount.c
+++ b/net/netfilter/nf_conncount.c
@@ -104,7 +104,7 @@ static unsigned int check_hlist(struct net *net,
 	struct nf_conn *found_ct;
 	unsigned int length = 0;
 
-	*addit = true;
+	*addit = tuple ? true : false;
 
 	/* check the saved connections */
 	hlist_for_each_entry_safe(conn, n, head, node) {
@@ -117,7 +117,7 @@ static unsigned int check_hlist(struct net *net,
 
 		found_ct = nf_ct_tuplehash_to_ctrack(found);
 
-		if (nf_ct_tuple_equal(&conn->tuple, tuple)) {
+		if (tuple && nf_ct_tuple_equal(&conn->tuple, tuple)) {
 			/*
 			 * Just to be sure we have it only once in the list.
 			 * We should not see tuples twice unless someone hooks
@@ -220,6 +220,9 @@ count_tree(struct net *net, struct rb_root *root,
 		goto restart;
 	}
 
+	if (!tuple)
+		return 0;
+
 	/* no match, need to insert new node */
 	rbconn = kmem_cache_alloc(conncount_rb_cachep, GFP_ATOMIC);
 	if (rbconn == NULL)
@@ -242,6 +245,9 @@ count_tree(struct net *net, struct rb_root *root,
 	return 1;
 }
 
+/* Count and return number of conntrack entries in 'net' with particular 'key'.
+ * If 'tuple' is not null, insert it into the accounting data structure.
+ */
 unsigned int nf_conncount_count(struct net *net,
 				struct nf_conncount_data *data,
 				const u32 *key,