[RFC,v2,1/9] netfilter: nf_queue: carry index in hook state

Message ID	20221005141309.31758-2-fw@strlen.de (mailing list archive)
State	RFC
Delegated to:	Netdev Maintainers
Headers	show Return-Path: <bpf-owner@kernel.org> From: Florian Westphal <fw@strlen.de> To: bpf@vger.kernel.org Cc: Florian Westphal <fw@strlen.de> Subject: [RFC v2 1/9] netfilter: nf_queue: carry index in hook state Date: Wed, 5 Oct 2022 16:13:01 +0200 Message-Id: <20221005141309.31758-2-fw@strlen.de> In-Reply-To: <20221005141309.31758-1-fw@strlen.de> References: <20221005141309.31758-1-fw@strlen.de> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	netfilter: bpf base hook program generator \| expand [RFC,0/9,v2] netfilter: bpf base hook program generator [RFC,v2,1/9] netfilter: nf_queue: carry index in hook state [RFC,v2,2/9] netfilter: nat: split nat hook iteration into a helper [RFC,v2,3/9] netfilter: remove hook index from nf_hook_slow arguments [RFC,v2,4/9] netfilter: make hook functions accept only one argument [RFC,v2,5/9] netfilter: reduce allowed hook count to 32 [RFC,v2,6/9] netfilter: add bpf base hook program generator [RFC,v2,7/9] netfilter: core: do not rebuild bpf program on dying netns [RFC,v2,8/9] netfilter: netdev: switch to invocation via bpf [RFC,v2,9/9] netfilter: hook_jit: add prog cache

Message ID

20221005141309.31758-2-fw@strlen.de (mailing list archive)

State

RFC

Delegated to:

Netdev Maintainers

Headers

From: Florian Westphal <fw@strlen.de>
To: bpf@vger.kernel.org
Cc: Florian Westphal <fw@strlen.de>
Subject: [RFC v2 1/9] netfilter: nf_queue: carry index in hook state
Date: Wed,  5 Oct 2022 16:13:01 +0200
Message-Id: <20221005141309.31758-2-fw@strlen.de>
In-Reply-To: <20221005141309.31758-1-fw@strlen.de>
References: <20221005141309.31758-1-fw@strlen.de>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

netfilter: bpf base hook program generator | expand

Context	Check	Description
netdev/tree_selection	success	Guessed tree name to be net-next, async
netdev/fixes_present	success	Fixes tag not required for -next series
netdev/subject_prefix	success	Link
netdev/cover_letter	success	Series has a cover letter
netdev/patch_count	success	Link
netdev/header_inline	success	No static functions without inline keyword in header files
netdev/build_32bit	success	Errors and warnings before: 224 this patch: 224
netdev/cc_maintainers	warning	12 maintainers not CCed: kuba@kernel.org razor@blackwall.org davem@davemloft.net pablo@netfilter.org netfilter-devel@vger.kernel.org bridge@lists.linux-foundation.org netdev@vger.kernel.org kadlec@netfilter.org roopa@nvidia.com coreteam@netfilter.org edumazet@google.com pabeni@redhat.com
netdev/build_clang	success	Errors and warnings before: 60 this patch: 60
netdev/module_param	success	Was 0 now: 0
netdev/verify_signedoff	success	Signed-off-by tag matches author and committer
netdev/check_selftest	success	No net selftest shell script
netdev/verify_fixes	success	No Fixes tag
netdev/build_allmodconfig_warn	success	Errors and warnings before: 228 this patch: 228
netdev/checkpatch	success	total: 0 errors, 0 warnings, 0 checks, 93 lines checked
netdev/kdoc	success	Errors and warnings before: 11 this patch: 11
netdev/source_inline	success	Was 0 now: 0

Context

Check

Description

netdev/tree_selection

success

Guessed tree name to be net-next, async

netdev/fixes_present

success

Fixes tag not required for -next series

netdev/subject_prefix

success

Link

netdev/cover_letter

success

Series has a cover letter

netdev/patch_count

success

Link

netdev/header_inline

success

No static functions without inline keyword in header files

netdev/build_32bit

success

Errors and warnings before: 224 this patch: 224

netdev/cc_maintainers

warning

12 maintainers not CCed: kuba@kernel.org razor@blackwall.org davem@davemloft.net pablo@netfilter.org netfilter-devel@vger.kernel.org bridge@lists.linux-foundation.org netdev@vger.kernel.org kadlec@netfilter.org roopa@nvidia.com coreteam@netfilter.org edumazet@google.com pabeni@redhat.com

netdev/build_clang

success

Errors and warnings before: 60 this patch: 60

netdev/module_param

success

Was 0 now: 0

netdev/verify_signedoff

success

Signed-off-by tag matches author and committer

netdev/check_selftest

success

No net selftest shell script

netdev/verify_fixes

success

No Fixes tag

netdev/build_allmodconfig_warn

success

Errors and warnings before: 228 this patch: 228

netdev/checkpatch

success

total: 0 errors, 0 warnings, 0 checks, 93 lines checked

netdev/kdoc

success

Errors and warnings before: 11 this patch: 11

netdev/source_inline

success

Was 0 now: 0

Commit Message

Florian Westphal Oct. 5, 2022, 2:13 p.m. UTC

Rather than passing the index (hook function to call next)
as function argument, store it in the hook state.

This is a prerequesite to allow passing all nf hook arguments in a single
structure.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 include/linux/netfilter.h        |  1 +
 include/net/netfilter/nf_queue.h |  3 +--
 net/bridge/br_input.c            |  3 ++-
 net/netfilter/core.c             |  6 +++++-
 net/netfilter/nf_queue.c         | 12 ++++++------
 5 files changed, 15 insertions(+), 10 deletions(-)

diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index d8817d381c14..7a1a2c4787f0 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -67,6 +67,7 @@  struct sock;
 struct nf_hook_state {
 	u8 hook;
 	u8 pf;
+	u16 hook_index; /* index in hook_entries->hook[] */
 	struct net_device *in;
 	struct net_device *out;
 	struct sock *sk;
diff --git a/include/net/netfilter/nf_queue.h b/include/net/netfilter/nf_queue.h
index 980daa6e1e3a..bdcdece2bbff 100644
--- a/include/net/netfilter/nf_queue.h
+++ b/include/net/netfilter/nf_queue.h
@@ -13,7 +13,6 @@  struct nf_queue_entry {
 	struct list_head	list;
 	struct sk_buff		*skb;
 	unsigned int		id;
-	unsigned int		hook_index;	/* index in hook_entries->hook[] */
 #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
 	struct net_device	*physin;
 	struct net_device	*physout;
@@ -125,6 +124,6 @@  nfqueue_hash(const struct sk_buff *skb, u16 queue, u16 queues_total, u8 family,
 }
 
 int nf_queue(struct sk_buff *skb, struct nf_hook_state *state,
-	     unsigned int index, unsigned int verdict);
+	     unsigned int verdict);
 
 #endif /* _NF_QUEUE_H */
diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
index 68b3e850bcb9..5be7e4573528 100644
--- a/net/bridge/br_input.c
+++ b/net/bridge/br_input.c
@@ -264,7 +264,8 @@  static int nf_hook_bridge_pre(struct sk_buff *skb, struct sk_buff **pskb)
 			kfree_skb(skb);
 			return RX_HANDLER_CONSUMED;
 		case NF_QUEUE:
-			ret = nf_queue(skb, &state, i, verdict);
+			state.hook_index = i;
+			ret = nf_queue(skb, &state, verdict);
 			if (ret == 1)
 				continue;
 			return RX_HANDLER_CONSUMED;
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 5a6705a0e4ec..c094742e3ec3 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -623,7 +623,8 @@  int nf_hook_slow(struct sk_buff *skb, struct nf_hook_state *state,
 				ret = -EPERM;
 			return ret;
 		case NF_QUEUE:
-			ret = nf_queue(skb, state, s, verdict);
+			state->hook_index = s;
+			ret = nf_queue(skb, state, verdict);
 			if (ret == 1)
 				continue;
 			return ret;
@@ -772,6 +773,9 @@  int __init netfilter_init(void)
 {
 	int ret;
 
+	/* state->index */
+	BUILD_BUG_ON(MAX_HOOK_COUNT > USHRT_MAX);
+
 	ret = register_pernet_subsys(&netfilter_net_ops);
 	if (ret < 0)
 		goto err;
diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c
index 63d1516816b1..9f9dfde3e054 100644
--- a/net/netfilter/nf_queue.c
+++ b/net/netfilter/nf_queue.c
@@ -156,7 +156,7 @@  static void nf_ip6_saveroute(const struct sk_buff *skb,
 }
 
 static int __nf_queue(struct sk_buff *skb, const struct nf_hook_state *state,
-		      unsigned int index, unsigned int queuenum)
+		      unsigned int queuenum)
 {
 	struct nf_queue_entry *entry = NULL;
 	const struct nf_queue_handler *qh;
@@ -204,7 +204,6 @@  static int __nf_queue(struct sk_buff *skb, const struct nf_hook_state *state,
 	*entry = (struct nf_queue_entry) {
 		.skb	= skb,
 		.state	= *state,
-		.hook_index = index,
 		.size	= sizeof(*entry) + route_key_size,
 	};
 
@@ -235,11 +234,11 @@  static int __nf_queue(struct sk_buff *skb, const struct nf_hook_state *state,
 
 /* Packets leaving via this function must come back through nf_reinject(). */
 int nf_queue(struct sk_buff *skb, struct nf_hook_state *state,
-	     unsigned int index, unsigned int verdict)
+	     unsigned int verdict)
 {
 	int ret;
 
-	ret = __nf_queue(skb, state, index, verdict >> NF_VERDICT_QBITS);
+	ret = __nf_queue(skb, state, verdict >> NF_VERDICT_QBITS);
 	if (ret < 0) {
 		if (ret == -ESRCH &&
 		    (verdict & NF_VERDICT_FLAG_QUEUE_BYPASS))
@@ -311,7 +310,7 @@  void nf_reinject(struct nf_queue_entry *entry, unsigned int verdict)
 
 	hooks = nf_hook_entries_head(net, pf, entry->state.hook);
 
-	i = entry->hook_index;
+	i = entry->state.hook_index;
 	if (WARN_ON_ONCE(!hooks || i >= hooks->num_hook_entries)) {
 		kfree_skb(skb);
 		nf_queue_entry_free(entry);
@@ -343,7 +342,8 @@  void nf_reinject(struct nf_queue_entry *entry, unsigned int verdict)
 		local_bh_enable();
 		break;
 	case NF_QUEUE:
-		err = nf_queue(skb, &entry->state, i, verdict);
+		entry->state.hook_index = i;
+		err = nf_queue(skb, &entry->state, verdict);
 		if (err == 1)
 			goto next_hook;
 		break;

[RFC,v2,1/9] netfilter: nf_queue: carry index in hook state

Checks

Commit Message

Patch