From: Florian Westphal <fw@strlen.de>
To: <netfilter-devel@vger.kernel.org>
Cc: Florian Westphal <fw@strlen.de>
Subject: [PATCH v3 nf-next 07/12] netfilter: don't call nf_hook_state_init/_hook_slow unless needed
Date: Thu, 3 Dec 2015 10:49:40 +0100 [thread overview]
Message-ID: <1449136185-4165-8-git-send-email-fw@strlen.de> (raw)
In-Reply-To: <1449136185-4165-1-git-send-email-fw@strlen.de>
With the previous patches in place, a netns nf_hook_list might be empty,
even if e.g. init_net performs filtering/conntrack.
Thus, change nf_hook_thresh to check the hook_list as well before
initializing hook_state and calling nf_hook_slow().
We still make use of static keys, if no netfilter hooks are loaded we can
elide further testing since list is guaranteed to be empty.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
no changes since v2
include/linux/netfilter.h | 29 +++++++++++------------------
1 file changed, 11 insertions(+), 18 deletions(-)
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index 0ad5567..9230f9a 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -141,22 +141,6 @@ void nf_unregister_sockopt(struct nf_sockopt_ops *reg);
#ifdef HAVE_JUMP_LABEL
extern struct static_key nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS];
-
-static inline bool nf_hook_list_active(struct list_head *hook_list,
- u_int8_t pf, unsigned int hook)
-{
- if (__builtin_constant_p(pf) &&
- __builtin_constant_p(hook))
- return static_key_false(&nf_hooks_needed[pf][hook]);
-
- return !list_empty(hook_list);
-}
-#else
-static inline bool nf_hook_list_active(struct list_head *hook_list,
- u_int8_t pf, unsigned int hook)
-{
- return !list_empty(hook_list);
-}
#endif
int nf_hook_slow(struct sk_buff *skb, struct nf_hook_state *state);
@@ -177,9 +161,18 @@ static inline int nf_hook_thresh(u_int8_t pf, unsigned int hook,
int (*okfn)(struct net *, struct sock *, struct sk_buff *),
int thresh)
{
- struct list_head *hook_list = &net->nf.hooks[pf][hook];
+ struct list_head *hook_list;
+
+#ifdef HAVE_JUMP_LABEL
+ if (__builtin_constant_p(pf) &&
+ __builtin_constant_p(hook) &&
+ !static_key_false(&nf_hooks_needed[pf][hook]))
+ return 1;
+#endif
+
+ hook_list = &net->nf.hooks[pf][hook];
- if (nf_hook_list_active(hook_list, pf, hook)) {
+ if (!list_empty(hook_list)) {
struct nf_hook_state state;
nf_hook_state_init(&state, hook_list, hook, thresh,
--
2.4.10
next prev parent reply other threads:[~2015-12-03 9:50 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-03 9:49 [PATCH v3 nf-next 0/12] netfilter: don't copy init ns hooks to new namespaces Florian Westphal
2015-12-03 9:49 ` [PATCH v3 nf-next 01/12] netfilter: add and use nf_ct_netns_get/put Florian Westphal
2015-12-03 9:49 ` [PATCH v3 nf-next 02/12] netfilter: conntrack: register hooks in netns when needed by ruleset Florian Westphal
2015-12-03 9:49 ` [PATCH v3 nf-next 03/12] netfilter: xtables: don't register table hooks in namespace at init time Florian Westphal
2015-12-03 9:49 ` [PATCH v3 nf-next 04/12] netfilter: defrag: only register defrag functionality if needed Florian Westphal
2015-12-03 9:49 ` [PATCH v3 nf-next 05/12] netfilter: nat: add dependencies on conntrack module Florian Westphal
2015-12-03 9:49 ` [PATCH v3 nf-next 06/12] netfilter: bridge: register hooks only when bridge interface is added Florian Westphal
2015-12-03 9:49 ` Florian Westphal [this message]
2015-12-03 9:49 ` [PATCH v3 nf-next 08/12] nftables: add conntrack dependencies for nat/masq/redir expressions Florian Westphal
2015-12-03 9:49 ` [PATCH v3 nf-next 09/12] nfnetlink: add nfnl_dereference_protected helper Florian Westphal
2015-12-18 10:39 ` Pablo Neira Ayuso
2015-12-03 9:49 ` [PATCH v3 nf-next 10/12] netfilter: ctnetlink: make ctnetlink bind register conntrack hooks Florian Westphal
2015-12-03 9:49 ` [PATCH v3 nf-next 11/12] netfilter: hook up nfnetlink log/queue to " Florian Westphal
2015-12-03 9:49 ` [PATCH v3 nf-next 12/12] netfilter: inform ctnetlink about new l3 protocol trackers Florian Westphal
2015-12-18 11:42 ` [PATCH v3 nf-next 0/12] netfilter: don't copy init ns hooks to new namespaces Pablo Neira Ayuso
2015-12-20 21:01 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1449136185-4165-8-git-send-email-fw@strlen.de \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.