From patchwork Sun Mar 4 23:29:51 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yi-Hung Wei X-Patchwork-Id: 881242 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="nBJJJpz1"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3zvfRC0YRLz9sZ9 for ; Mon, 5 Mar 2018 10:30:30 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932452AbeCDXa3 (ORCPT ); Sun, 4 Mar 2018 18:30:29 -0500 Received: from mail-pl0-f66.google.com ([209.85.160.66]:37221 "EHLO mail-pl0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932283AbeCDXa2 (ORCPT ); Sun, 4 Mar 2018 18:30:28 -0500 Received: by mail-pl0-f66.google.com with SMTP id ay8-v6so8649265plb.4 for ; Sun, 04 Mar 2018 15:30:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=6WjlZ6dqsdfm0pK64lTAcf3Cq+r9w0xAhCR9vmhpdTc=; b=nBJJJpz1f+8fJOgeXrmcz1EuSWetf0MHpZYmdW6cWeRIn6gWS7dzA3G0VdVHGqAtD4 3Zp5drq/77hlVEL+f+KQBvaA6loaT6TI17gh1VZM+cZUEOS3rvo3ihL0YE9zPL6gD0/l DtJ7GNEH9db4kqL3nIzZmgXYQ4hmvoBkhO4o+dWOgJ5YKLPVyDg29iPdNMPmtd8ZZ7SG irrsL7kdNHWADBaIvIrcTgMI9e+XFyJih4NCk5EepbCzqZwhlIQypmUEqR9xSQ8vXitb LvmnrEKnyTeZ6u+Wxu5wxntj2bnVN5Uy9/r78urXErEAfysM3maLlP6nWG6KxxOzfLtQ jILg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=6WjlZ6dqsdfm0pK64lTAcf3Cq+r9w0xAhCR9vmhpdTc=; b=CsIxHkvs+cze4tJPGoilxRirzGv6sBdraJaVelJLlFbKtWmr2BqXFVEp7QPpHnC4pf 655EkEPuerpGxugzj4lhOcC6lW0Ii+8i/vzmGm8lZQ6tqMgCsv9e5ZboKzdFWNK/wwd5 LxwRP63ST7h+hQswIschWnPF7ffC5IO6c8bLrQT3v7Q5sMr5IWIWnKmYdjjvmpc7v53u oOvvq1M/ny0i5m8ipqecthzH9qoigzRbAsuP5panULe7JXvwmdRw7KQFFnIZAdpbijlk NUULX50DLp6D+lRxysdG1dJLNK5T7A6d9DZqeKMSVh1wzfQu0ypwAVlgmif33HuoD/ZE Rbyg== X-Gm-Message-State: APf1xPC7nrrLit88YwmgWvh88ayiJxetfLKcMTj1A9Kr2oDlkDQLYeql YGaIihND9CmXHMvjYhozqzQuXpuK X-Google-Smtp-Source: AG47ELt9fKJXWwkKgRet2uhq9jYU+nZTSOkN1aBTKlixR49cN4bzLy9syK5H/R1uK6KDpPvo3fCLsw== X-Received: by 2002:a17:902:7046:: with SMTP id h6-v6mr10827063plt.301.1520206228014; Sun, 04 Mar 2018 15:30:28 -0800 (PST) Received: from Husky.eng.vmware.com ([66.170.99.1]) by smtp.gmail.com with ESMTPSA id m68sm12804350pfk.107.2018.03.04.15.30.26 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 04 Mar 2018 15:30:27 -0800 (PST) From: Yi-Hung Wei To: fw@strlen.de, netfilter-devel@vger.kernel.org Cc: Yi-Hung Wei Subject: [PATCH nf-next v2 1/2] netfilter: Refactor nf_conncount Date: Sun, 4 Mar 2018 15:29:51 -0800 Message-Id: <1520206192-17093-1-git-send-email-yihung.wei@gmail.com> X-Mailer: git-send-email 2.7.4 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Remove parameter 'family' in nf_conncount_count() and count_tree(). It is because the parameter is not useful after commit 625c556118f3 ("netfilter: connlimit: split xt_connlimit into front and backend"). Signed-off-by: Yi-Hung Wei Acked-by: Florian Westphal --- include/net/netfilter/nf_conntrack_count.h | 1 - net/netfilter/nf_conncount.c | 4 +--- net/netfilter/xt_connlimit.c | 4 ++-- 3 files changed, 3 insertions(+), 6 deletions(-) diff --git a/include/net/netfilter/nf_conntrack_count.h b/include/net/netfilter/nf_conntrack_count.h index adf8db44cf86..e61184fbfb71 100644 --- a/include/net/netfilter/nf_conntrack_count.h +++ b/include/net/netfilter/nf_conntrack_count.h @@ -11,7 +11,6 @@ void nf_conncount_destroy(struct net *net, unsigned int family, unsigned int nf_conncount_count(struct net *net, struct nf_conncount_data *data, const u32 *key, - unsigned int family, const struct nf_conntrack_tuple *tuple, const struct nf_conntrack_zone *zone); #endif diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c index 6d65389e308f..9305a08b4422 100644 --- a/net/netfilter/nf_conncount.c +++ b/net/netfilter/nf_conncount.c @@ -158,7 +158,6 @@ static void tree_nodes_free(struct rb_root *root, static unsigned int count_tree(struct net *net, struct rb_root *root, const u32 *key, u8 keylen, - u8 family, const struct nf_conntrack_tuple *tuple, const struct nf_conntrack_zone *zone) { @@ -246,7 +245,6 @@ count_tree(struct net *net, struct rb_root *root, unsigned int nf_conncount_count(struct net *net, struct nf_conncount_data *data, const u32 *key, - unsigned int family, const struct nf_conntrack_tuple *tuple, const struct nf_conntrack_zone *zone) { @@ -259,7 +257,7 @@ unsigned int nf_conncount_count(struct net *net, spin_lock_bh(&nf_conncount_locks[hash % CONNCOUNT_LOCK_SLOTS]); - count = count_tree(net, root, key, data->keylen, family, tuple, zone); + count = count_tree(net, root, key, data->keylen, tuple, zone); spin_unlock_bh(&nf_conncount_locks[hash % CONNCOUNT_LOCK_SLOTS]); diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c index b1b17b9353e1..6275106ccf50 100644 --- a/net/netfilter/xt_connlimit.c +++ b/net/netfilter/xt_connlimit.c @@ -67,8 +67,8 @@ connlimit_mt(const struct sk_buff *skb, struct xt_action_param *par) key[1] = zone->id; } - connections = nf_conncount_count(net, info->data, key, - xt_family(par), tuple_ptr, zone); + connections = nf_conncount_count(net, info->data, key, tuple_ptr, + zone); if (connections == 0) /* kmalloc failed, drop it entirely */ goto hotdrop; From patchwork Sun Mar 4 23:29:52 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yi-Hung Wei X-Patchwork-Id: 881241 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="pWRQtq+j"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3zvfRF1qHmz9sZB for ; Mon, 5 Mar 2018 10:30:33 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932476AbeCDXac (ORCPT ); Sun, 4 Mar 2018 18:30:32 -0500 Received: from mail-pl0-f66.google.com ([209.85.160.66]:36691 "EHLO mail-pl0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932283AbeCDXab (ORCPT ); Sun, 4 Mar 2018 18:30:31 -0500 Received: by mail-pl0-f66.google.com with SMTP id 61-v6so8660079plf.3 for ; Sun, 04 Mar 2018 15:30:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=Oh4m9jPiNGpQ5tL79jYysNPtIx1hlmF3i+DgIIAzxeo=; b=pWRQtq+jKREA13+hdQZrG8/fjN2LKlJUxSWPg/TCQCyatAyXCfkJBlRvylDDUPuXSC rs7DQ3KjHiU6Pxoql/hIibBmnuJf9ypebDK88asGe2nt0xZmqzkMnsNKSBrb4AbLCQLW v575pyPtgHZ3pkt6lDxJprEuAQLxNXBZOFfiRNUg+BqhLMRgR+PncMcvmV1+CqF0uJNS 2PBZPNYLAz1IJZ9/oWKWKbgpVLY/u7lTTSFbLHjpJYzKKhbXTzKmAfLCwxfpVqjbv62b l2ccWMnsZAOKek7mNT+Tk9O0ac2EWSpA4eRasc2VFbZT7rVTr+sIZqzz02iIGY15hUIA yxvw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=Oh4m9jPiNGpQ5tL79jYysNPtIx1hlmF3i+DgIIAzxeo=; b=XHjB1mSUcGKytDa8JQ0VUMQJiEgLwSlDhMwcutpvieLlw9Sa3YDExhVjEpfBnkWuBB Aupgz1xazgOhmZnWdb30uX8kexNt8iQa4Wci9J7KF3DlooW06bbMjkzPlnSAFOA+06Ns W9hXQunnVM9p5Zy4z0R0HLb/NaPoc/kzviLMlKF1dKDAv3Vzd24jmcXtSvAAnj8Jn15e varVFOWP+uItq2/DM/EGBGTg8SYVeXJU721YeL97OaoTsQX+1Bepua67vfbWCXXn0Xt9 vm+KcHQhaLjuJZf+iVqrU+L7HIOxzMUyvtOmlpzu8LZeaVjUUwjNzuiBaov5Rt7xu3Ss gooQ== X-Gm-Message-State: APf1xPCWoQR1GvwmkiG/Cux3o481mWZm/PlrgYFhvPaAtySjAmGAHUIT lCmVi8tx+6zuwvI8z39zcFh/cIBx X-Google-Smtp-Source: AG47ELsy21RfvqzN/grW60d70j80Dkanx8VzXHGW18GzhOnss9U8RnAKDD36+thftpYnkBroNz1M6A== X-Received: by 2002:a17:902:7290:: with SMTP id d16-v6mr11220374pll.31.1520206231389; Sun, 04 Mar 2018 15:30:31 -0800 (PST) Received: from Husky.eng.vmware.com ([66.170.99.1]) by smtp.gmail.com with ESMTPSA id m68sm12804350pfk.107.2018.03.04.15.30.30 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 04 Mar 2018 15:30:30 -0800 (PST) From: Yi-Hung Wei To: fw@strlen.de, netfilter-devel@vger.kernel.org Cc: Yi-Hung Wei Subject: [PATCH nf-next v2 2/2] nf_conncount: Support count only use case Date: Sun, 4 Mar 2018 15:29:52 -0800 Message-Id: <1520206192-17093-2-git-send-email-yihung.wei@gmail.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1520206192-17093-1-git-send-email-yihung.wei@gmail.com> References: <1520206192-17093-1-git-send-email-yihung.wei@gmail.com> Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Currently, nf_conncount_count() counts the number of connections that matches key and inserts a conntrack 'tuple' with the same key into the accounting data structure. This patch supports another use case that only counts the number of connections where 'tuple' is not provided. Therefore, proper changes are made on nf_conncount_count() to support the case where 'tuple' is NULL. This could be useful for querying statistics or debugging purpose. Signed-off-by: Yi-Hung Wei Acked-by: Florian Westphal --- net/netfilter/nf_conncount.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c index 9305a08b4422..153e690e2893 100644 --- a/net/netfilter/nf_conncount.c +++ b/net/netfilter/nf_conncount.c @@ -104,7 +104,7 @@ static unsigned int check_hlist(struct net *net, struct nf_conn *found_ct; unsigned int length = 0; - *addit = true; + *addit = tuple ? true : false; /* check the saved connections */ hlist_for_each_entry_safe(conn, n, head, node) { @@ -117,7 +117,7 @@ static unsigned int check_hlist(struct net *net, found_ct = nf_ct_tuplehash_to_ctrack(found); - if (nf_ct_tuple_equal(&conn->tuple, tuple)) { + if (tuple && nf_ct_tuple_equal(&conn->tuple, tuple)) { /* * Just to be sure we have it only once in the list. * We should not see tuples twice unless someone hooks @@ -220,6 +220,9 @@ count_tree(struct net *net, struct rb_root *root, goto restart; } + if (!tuple) + return 0; + /* no match, need to insert new node */ rbconn = kmem_cache_alloc(conncount_rb_cachep, GFP_ATOMIC); if (rbconn == NULL) @@ -242,6 +245,9 @@ count_tree(struct net *net, struct rb_root *root, return 1; } +/* Count and return number of conntrack entries in 'net' with particular 'key'. + * If 'tuple' is not null, insert it into the accounting data structure. + */ unsigned int nf_conncount_count(struct net *net, struct nf_conncount_data *data, const u32 *key,