From patchwork Tue May 17 17:20:47 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1632478 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=J6W7vEG5; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by bilbo.ozlabs.org (Postfix) with ESMTP id 4L2jZj4tdcz9s75 for ; Wed, 18 May 2022 03:21:17 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1351405AbiEQRVO (ORCPT ); Tue, 17 May 2022 13:21:14 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48580 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1351383AbiEQRVM (ORCPT ); Tue, 17 May 2022 13:21:12 -0400 Received: from orbyte.nwl.cc (orbyte.nwl.cc [IPv6:2001:41d0:e:133a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 66FC2255AB for ; Tue, 17 May 2022 10:21:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=mfRY2jBoDQQ2Q68SheBYIit2q5mfQP6YhB1Kw4XlMYw=; b=J6W7vEG5axkEErti7mEDWQF7Du e0QjiRAuv6r+zrEczXP63AJ3zljV9jhgUtsDjIv5pnotTpzcXb5NoeXVyzEmSdAqfm3TpzpJGjOz9 tx1YmNKr6i11bDdji+9XI28lgoj62FWJuxhq97nu/RuEdggRtfCUJQYEmuw3YNXyc5fOpyRU1Evgt Bh+a5Z85xYqgr12LTWy4hSzb/Ik2Gh1nFzCOyNMuYGfpupJJG+pMkTLjy21EvjP9ECgmyTFvivHZL FwTQjNqp7ZIeTFJ62oqs6ZF3oLzP46CZSy1GqQqBI25SbF7Q6xDAISx7NWUNCfEUHE+a6wQIbtJQu 8k4IcrMA==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.94.2) (envelope-from ) id 1nr0sf-0005o5-Qs; Tue, 17 May 2022 19:21:09 +0200 From: Phil Sutter To: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org Subject: [PATCH v4 1/4] netfilter: nf_tables: Store net size in nft_expr_ops::size Date: Tue, 17 May 2022 19:20:47 +0200 Message-Id: <20220517172050.32653-2-phil@nwl.cc> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220517172050.32653-1-phil@nwl.cc> References: <20220517172050.32653-1-phil@nwl.cc> MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Prepare for expressions of different size in ruleset blob by storing only the per-expression payload in struct nft_expr_ops' size field instead of a value depending on size of struct nft_expr. Signed-off-by: Phil Sutter --- Changes since v3: - Adjust nft_setelem_expr_foreach() and nft_expr_next() accordingly. --- include/net/netfilter/nf_tables.h | 8 +++++--- net/netfilter/nf_tables_api.c | 23 +++++++++++++---------- 2 files changed, 18 insertions(+), 13 deletions(-) diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h index 20af9d3557b9d..3efdc68497148 100644 --- a/include/net/netfilter/nf_tables.h +++ b/include/net/netfilter/nf_tables.h @@ -335,7 +335,8 @@ struct nft_set_estimate { }; #define NFT_EXPR_MAXATTR 16 -#define NFT_EXPR_SIZE(size) (sizeof(struct nft_expr) + \ +#define NFT_EXPR_SIZE(size) size +#define NFT_EXPR_FULL_SIZE(size) (sizeof(struct nft_expr) + \ ALIGN(size, __alignof__(struct nft_expr))) /** @@ -464,7 +465,8 @@ struct nft_set_elem_expr { #define nft_setelem_expr_foreach(__expr, __elem_expr, __size) \ for (__expr = nft_setelem_expr_at(__elem_expr, 0), __size = 0; \ __size < (__elem_expr)->size; \ - __size += (__expr)->ops->size, __expr = ((void *)(__expr)) + (__expr)->ops->size) + __size += NFT_EXPR_FULL_SIZE((__expr)->ops->size), \ + __expr = ((void *)(__expr)) + NFT_EXPR_FULL_SIZE((__expr)->ops->size)) #define NFT_SET_EXPR_MAX 2 @@ -940,7 +942,7 @@ static inline struct nft_expr *nft_expr_first(const struct nft_rule *rule) static inline struct nft_expr *nft_expr_next(const struct nft_expr *expr) { - return ((void *)expr) + expr->ops->size; + return ((void *)expr) + NFT_EXPR_FULL_SIZE(expr->ops->size); } static inline struct nft_expr *nft_expr_last(const struct nft_rule *rule) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index f3ad02a399f8a..609fc9137ac01 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -2876,7 +2876,8 @@ static struct nft_expr *nft_expr_init(const struct nft_ctx *ctx, goto err1; err = -ENOMEM; - expr = kzalloc(expr_info.ops->size, GFP_KERNEL_ACCOUNT); + expr = kzalloc(NFT_EXPR_FULL_SIZE(expr_info.ops->size), + GFP_KERNEL_ACCOUNT); if (expr == NULL) goto err2; @@ -2907,7 +2908,7 @@ int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src) if (err < 0) return err; } else { - memcpy(dst, src, src->ops->size); + memcpy(dst, src, NFT_EXPR_FULL_SIZE(src->ops->size)); } __module_get(src->ops->type->owner); @@ -3468,7 +3469,7 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info, NL_SET_BAD_ATTR(extack, tmp); goto err_release_expr; } - size += expr_info[n].ops->size; + size += NFT_EXPR_FULL_SIZE(expr_info[n].ops->size); n++; } } @@ -5526,7 +5527,8 @@ int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set, int err, i, k; for (i = 0; i < set->num_exprs; i++) { - expr = kzalloc(set->exprs[i]->ops->size, GFP_KERNEL_ACCOUNT); + expr = kzalloc(NFT_EXPR_FULL_SIZE(set->exprs[i]->ops->size), + GFP_KERNEL_ACCOUNT); if (!expr) goto err_expr; @@ -5562,7 +5564,7 @@ static int nft_set_elem_expr_setup(struct nft_ctx *ctx, if (err < 0) goto err_elem_expr_setup; - elem_expr->size += expr_array[i]->ops->size; + elem_expr->size += NFT_EXPR_FULL_SIZE(expr_array[i]->ops->size); nft_expr_destroy(ctx, expr_array[i]); expr_array[i] = NULL; } @@ -5929,7 +5931,7 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, if (num_exprs) { for (i = 0; i < num_exprs; i++) - size += expr_array[i]->ops->size; + size += NFT_EXPR_FULL_SIZE(expr_array[i]->ops->size); nft_set_ext_add_length(&tmpl, NFT_SET_EXT_EXPRESSIONS, sizeof(struct nft_set_elem_expr) + @@ -8356,9 +8358,9 @@ static bool nft_expr_reduce(struct nft_regs_track *track, static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain) { + unsigned int size, expr_size, data_size; const struct nft_expr *expr, *last; struct nft_regs_track track = {}; - unsigned int size, data_size; void *data, *data_boundary; struct nft_rule_dp *prule; struct nft_rule *rule; @@ -8404,11 +8406,12 @@ static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *cha continue; } - if (WARN_ON_ONCE(data + expr->ops->size > data_boundary)) + expr_size = NFT_EXPR_FULL_SIZE(expr->ops->size); + if (WARN_ON_ONCE(data + expr_size > data_boundary)) return -ENOMEM; - memcpy(data + size, expr, expr->ops->size); - size += expr->ops->size; + memcpy(data + size, expr, expr_size); + size += expr_size; } if (WARN_ON_ONCE(size >= 1 << 12)) return -ENOMEM; From patchwork Tue May 17 17:20:48 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1632476 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=qdldkGjH; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by bilbo.ozlabs.org (Postfix) with ESMTP id 4L2jZg1v7Rz9s0w for ; Wed, 18 May 2022 03:21:15 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231726AbiEQRVJ (ORCPT ); Tue, 17 May 2022 13:21:09 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48256 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1351433AbiEQRVF (ORCPT ); Tue, 17 May 2022 13:21:05 -0400 Received: from orbyte.nwl.cc (orbyte.nwl.cc [IPv6:2001:41d0:e:133a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 19E2B165A5 for ; Tue, 17 May 2022 10:21:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=/7IqEPG+apsidChCpZ2nczqv+3oKNfR3dlh7TElB4Q4=; b=qdldkGjHRMcB0wYfftjLfEXhI3 xioFsQ8qOGi6BIlcfY1RCY46h5dS3BQ+c7FuuvnVykPQJ0ndYlVpranJWOln6pRUWth/DZPoeQAUz IDc6itcYQOzO8/7IF87/JwvQb+w3jJz5lY3y/POb2n61bC8or3VakwLhKCHcYpXYII5dA4sf1YE8K 3l6hU4YwTRFXAb53FxNTIXrwQ8ntSXTc+QC9iTrt51oOMvhB9h20Eba7sngQzeVRSTMgrdx+TGdWg jqy+/powmSL5Y5qGx42/Gsb5UD+IWVLyflN79G5ccPmomFy2/oymmlcEaUkarhApVXt5UolJ78brg aRVrbzPg==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.94.2) (envelope-from ) id 1nr0sV-0005nr-0y; Tue, 17 May 2022 19:20:59 +0200 From: Phil Sutter To: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org Subject: [PATCH v4 2/4] netfilter: nf_tables: Introduce struct nft_expr_dp Date: Tue, 17 May 2022 19:20:48 +0200 Message-Id: <20220517172050.32653-3-phil@nwl.cc> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220517172050.32653-1-phil@nwl.cc> References: <20220517172050.32653-1-phil@nwl.cc> MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org This is a minimal variant of struct nft_expr for use in ruleset blob. Signed-off-by: Phil Sutter --- include/net/netfilter/nf_tables.h | 9 ++++++++- net/netfilter/nf_tables_api.c | 11 ++++++++--- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h index 3efdc68497148..d4da396052018 100644 --- a/include/net/netfilter/nf_tables.h +++ b/include/net/netfilter/nf_tables.h @@ -338,6 +338,8 @@ struct nft_set_estimate { #define NFT_EXPR_SIZE(size) size #define NFT_EXPR_FULL_SIZE(size) (sizeof(struct nft_expr) + \ ALIGN(size, __alignof__(struct nft_expr))) +#define NFT_EXPR_DP_SIZE(size) (sizeof(struct nft_expr_dp) + \ + ALIGN(size, __alignof__(struct nft_expr_dp))) /** * struct nft_expr - nf_tables expression @@ -993,12 +995,17 @@ static inline void nft_set_elem_update_expr(const struct nft_set_ext *ext, #define NFT_CHAIN_POLICY_UNSET U8_MAX +struct nft_expr_dp { + const struct nft_expr_ops *ops; + unsigned char data[] __aligned(__alignof__(u64)); +}; + struct nft_rule_dp { u64 is_last:1, dlen:12, handle:42; /* for tracing */ unsigned char data[] - __attribute__((aligned(__alignof__(struct nft_expr)))); + __aligned(__alignof__(struct nft_expr_dp)); }; struct nft_rule_blob { diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 609fc9137ac01..ba2f712823776 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -8363,6 +8363,7 @@ static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *cha struct nft_regs_track track = {}; void *data, *data_boundary; struct nft_rule_dp *prule; + struct nft_expr_dp *pexpr; struct nft_rule *rule; /* already handled or inactive chain? */ @@ -8372,7 +8373,9 @@ static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *cha data_size = 0; list_for_each_entry(rule, &chain->rules, list) { if (nft_is_active_next(net, rule)) { - data_size += sizeof(*prule) + rule->dlen; + data_size += sizeof(*prule); + nft_rule_for_each_expr(expr, last, rule) + data_size += NFT_EXPR_DP_SIZE(expr->ops->size); if (data_size > INT_MAX) return -ENOMEM; } @@ -8406,11 +8409,13 @@ static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *cha continue; } - expr_size = NFT_EXPR_FULL_SIZE(expr->ops->size); + expr_size = NFT_EXPR_DP_SIZE(expr->ops->size); if (WARN_ON_ONCE(data + expr_size > data_boundary)) return -ENOMEM; - memcpy(data + size, expr, expr_size); + pexpr = (struct nft_expr_dp *)(data + size); + pexpr->ops = expr->ops; + memcpy(pexpr->data, expr->data, expr->ops->size); size += expr_size; } if (WARN_ON_ONCE(size >= 1 << 12)) From patchwork Tue May 17 17:20:49 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1632480 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=Uz0fpjd8; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by bilbo.ozlabs.org (Postfix) with ESMTP id 4L2jbQ6mHJz9s0w for ; Wed, 18 May 2022 03:21:54 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1351474AbiEQRVw (ORCPT ); Tue, 17 May 2022 13:21:52 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49244 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1351404AbiEQRVZ (ORCPT ); Tue, 17 May 2022 13:21:25 -0400 Received: from orbyte.nwl.cc (orbyte.nwl.cc [IPv6:2001:41d0:e:133a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 85F2628E0A for ; Tue, 17 May 2022 10:21:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=r/+DCt70vAagZCQQTTSYZqJ2hMGf3yMMoPt4uokR1FI=; b=Uz0fpjd8SWN2dlQI2hdjd12DrR PaIEMWKwcVfW4vBTKOEEhXZGFT9rrKz8c6D1epPTHo2yyIg0LgriK+eXSRo5+HJ0unFhezDIfJt4x gOhy9fvYPqI8G/99MPTx617iNm3vr8WgwxuMXlS7lnsqc5ACW5yCQqKx7TlqJHaabtA+KcuRpZQ67 6KDXOwA9CaT9KEtH5lsPIFGmDQQqKLVfQ3VHKoI1KlDigQoDqr2LPqclc0s4plEudYw3jm8KXEa0h lZMJw++D0SW8Ky2YB3Pkzse4H5y9/4U/GkLtlIG9KM3dMZJKtghyRUsTbfsFc+0MD/o49oIwRw6x3 HpdboAEQ==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.94.2) (envelope-from ) id 1nr0sq-0005oL-GP; Tue, 17 May 2022 19:21:20 +0200 From: Phil Sutter To: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org Subject: [PATCH v4 3/4] netfilter: nf_tables: Introduce expression flags Date: Tue, 17 May 2022 19:20:49 +0200 Message-Id: <20220517172050.32653-4-phil@nwl.cc> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220517172050.32653-1-phil@nwl.cc> References: <20220517172050.32653-1-phil@nwl.cc> MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Allow dumping some info bits about expressions to user space. Signed-off-by: Phil Sutter --- include/net/netfilter/nf_tables.h | 1 + include/uapi/linux/netfilter/nf_tables.h | 1 + net/netfilter/nf_tables_api.c | 4 ++++ 3 files changed, 6 insertions(+) diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h index d4da396052018..34add1acaac73 100644 --- a/include/net/netfilter/nf_tables.h +++ b/include/net/netfilter/nf_tables.h @@ -349,6 +349,7 @@ struct nft_set_estimate { */ struct nft_expr { const struct nft_expr_ops *ops; + u32 flags; unsigned char data[] __attribute__((aligned(__alignof__(u64)))); }; diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h index 466fd3f4447c2..36bf019322a44 100644 --- a/include/uapi/linux/netfilter/nf_tables.h +++ b/include/uapi/linux/netfilter/nf_tables.h @@ -518,6 +518,7 @@ enum nft_expr_attributes { NFTA_EXPR_UNSPEC, NFTA_EXPR_NAME, NFTA_EXPR_DATA, + NFTA_EXPR_FLAGS, __NFTA_EXPR_MAX }; #define NFTA_EXPR_MAX (__NFTA_EXPR_MAX - 1) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index ba2f712823776..608c5e684dff7 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -2731,6 +2731,7 @@ static const struct nft_expr_type *nft_expr_type_get(struct net *net, static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = { [NFTA_EXPR_NAME] = { .type = NLA_STRING, .len = NFT_MODULE_AUTOLOAD_LIMIT }, + [NFTA_EXPR_FLAGS] = { .type = NLA_U32 }, [NFTA_EXPR_DATA] = { .type = NLA_NESTED }, }; @@ -2740,6 +2741,9 @@ static int nf_tables_fill_expr_info(struct sk_buff *skb, if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name)) goto nla_put_failure; + if (nla_put_u32(skb, NFTA_EXPR_FLAGS, expr->flags)) + goto nla_put_failure; + if (expr->ops->dump) { struct nlattr *data = nla_nest_start_noflag(skb, NFTA_EXPR_DATA); From patchwork Tue May 17 17:20:50 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1632477 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=deOsbM6g; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by bilbo.ozlabs.org (Postfix) with ESMTP id 4L2jZj23xgz9s5V for ; Wed, 18 May 2022 03:21:17 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1351384AbiEQRVL (ORCPT ); Tue, 17 May 2022 13:21:11 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48378 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1351440AbiEQRVH (ORCPT ); Tue, 17 May 2022 13:21:07 -0400 Received: from orbyte.nwl.cc (orbyte.nwl.cc [IPv6:2001:41d0:e:133a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1B4A0B48D for ; Tue, 17 May 2022 10:21:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=qWbMVNrixiNrPAo0iVjw3L0SxWG4TnbYB4/DqC0NgoM=; b=deOsbM6g+b/BzhlQi/nGKyYt1f ybrfrpieP9iG4dKKtzwxSqKMiiLZBJ+cNQG9e2hkPi8p0pz9cEMCwT+nKMA3bUF+QjC+9it7TonOe ZEtR3J+RpqOKrdwvcrPX+FZucbkzPOc78pFsRhqyWQswtV9dCxNdctFAqS+4rpzfRVwVdXtPxtjD4 OWzWJ5T+WxgI+rkSTEJFhkWo125My6L7mupoIwPPMpjwFE0ulte1rR14QP6MpvEdqE53ZC6hz8uZg 3MHGVJcP9nlomyNYwIVsD6qXOX+YHL0Gr7Ryb9x43h3kyF+fsRiLeqJELxLSe5tAr7T08k9ddHkSS LrJCjP5A==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.94.2) (envelope-from ) id 1nr0sa-0005ny-HQ; Tue, 17 May 2022 19:21:04 +0200 From: Phil Sutter To: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org Subject: [PATCH v4 4/4] netfilter: nf_tables: Annotate reduced expressions Date: Tue, 17 May 2022 19:20:50 +0200 Message-Id: <20220517172050.32653-5-phil@nwl.cc> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220517172050.32653-1-phil@nwl.cc> References: <20220517172050.32653-1-phil@nwl.cc> MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Introduce NFTA_EXPR_FLAG_REDUCED and set it for expressions which were omitted from the rule blob due to being redundant. This allows user space to verify the rule optimizer's results. Signed-off-by: Phil Sutter --- include/uapi/linux/netfilter/nf_tables.h | 7 +++++++ net/netfilter/nf_tables_api.c | 8 ++++++-- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h index 36bf019322a44..1da84ebc3f27a 100644 --- a/include/uapi/linux/netfilter/nf_tables.h +++ b/include/uapi/linux/netfilter/nf_tables.h @@ -523,6 +523,13 @@ enum nft_expr_attributes { }; #define NFTA_EXPR_MAX (__NFTA_EXPR_MAX - 1) +/** + * NFTA_EXPR_FLAGS values + * + * @NFTA_EXPR_FLAG_REDUCED: redundant expression omitted from blob + */ +#define NFTA_EXPR_FLAG_REDUCED (1 << 0) + /** * enum nft_immediate_attributes - nf_tables immediate expression netlink attributes * diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 608c5e684dff7..01141412cb052 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -8363,8 +8363,8 @@ static bool nft_expr_reduce(struct nft_regs_track *track, static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain) { unsigned int size, expr_size, data_size; - const struct nft_expr *expr, *last; struct nft_regs_track track = {}; + struct nft_expr *expr, *last; void *data, *data_boundary; struct nft_rule_dp *prule; struct nft_expr_dp *pexpr; @@ -8409,7 +8409,11 @@ static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *cha track.cur = expr; if (nft_expr_reduce(&track, expr)) { - expr = track.cur; + expr->flags |= NFTA_EXPR_FLAG_REDUCED; + while (expr != track.cur) { + expr = nft_expr_next(expr); + expr->flags |= NFTA_EXPR_FLAG_REDUCED; + } continue; }