netfilter: ipset: Count non-static extension memory for userspace
Non-static (i.e. comment) extension was not counted into the memory size. A new internal counter is introduced for this. In the case of the hash types the sizes of the arrays are counted there as well so that we can avoid to scan the whole set when just the header data is requested. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
This commit is contained in:
parent
702b71e7c6
commit
9e41f26a50
|
@ -79,10 +79,12 @@ enum ip_set_ext_id {
|
||||||
IPSET_EXT_ID_MAX,
|
IPSET_EXT_ID_MAX,
|
||||||
};
|
};
|
||||||
|
|
||||||
|
struct ip_set;
|
||||||
|
|
||||||
/* Extension type */
|
/* Extension type */
|
||||||
struct ip_set_ext_type {
|
struct ip_set_ext_type {
|
||||||
/* Destroy extension private data (can be NULL) */
|
/* Destroy extension private data (can be NULL) */
|
||||||
void (*destroy)(void *ext);
|
void (*destroy)(struct ip_set *set, void *ext);
|
||||||
enum ip_set_extension type;
|
enum ip_set_extension type;
|
||||||
enum ipset_cadt_flags flag;
|
enum ipset_cadt_flags flag;
|
||||||
/* Size and minimal alignment */
|
/* Size and minimal alignment */
|
||||||
|
@ -252,6 +254,8 @@ struct ip_set {
|
||||||
u32 timeout;
|
u32 timeout;
|
||||||
/* Number of elements (vs timeout) */
|
/* Number of elements (vs timeout) */
|
||||||
u32 elements;
|
u32 elements;
|
||||||
|
/* Size of the dynamic extensions (vs timeout) */
|
||||||
|
size_t ext_size;
|
||||||
/* Element data size */
|
/* Element data size */
|
||||||
size_t dsize;
|
size_t dsize;
|
||||||
/* Offsets to extensions in elements */
|
/* Offsets to extensions in elements */
|
||||||
|
@ -268,7 +272,7 @@ ip_set_ext_destroy(struct ip_set *set, void *data)
|
||||||
*/
|
*/
|
||||||
if (SET_WITH_COMMENT(set))
|
if (SET_WITH_COMMENT(set))
|
||||||
ip_set_extensions[IPSET_EXT_ID_COMMENT].destroy(
|
ip_set_extensions[IPSET_EXT_ID_COMMENT].destroy(
|
||||||
ext_comment(data, set));
|
set, ext_comment(data, set));
|
||||||
}
|
}
|
||||||
|
|
||||||
static inline int
|
static inline int
|
||||||
|
|
|
@ -20,13 +20,14 @@ ip_set_comment_uget(struct nlattr *tb)
|
||||||
* The kadt functions don't use the comment extensions in any way.
|
* The kadt functions don't use the comment extensions in any way.
|
||||||
*/
|
*/
|
||||||
static inline void
|
static inline void
|
||||||
ip_set_init_comment(struct ip_set_comment *comment,
|
ip_set_init_comment(struct ip_set *set, struct ip_set_comment *comment,
|
||||||
const struct ip_set_ext *ext)
|
const struct ip_set_ext *ext)
|
||||||
{
|
{
|
||||||
struct ip_set_comment_rcu *c = rcu_dereference_protected(comment->c, 1);
|
struct ip_set_comment_rcu *c = rcu_dereference_protected(comment->c, 1);
|
||||||
size_t len = ext->comment ? strlen(ext->comment) : 0;
|
size_t len = ext->comment ? strlen(ext->comment) : 0;
|
||||||
|
|
||||||
if (unlikely(c)) {
|
if (unlikely(c)) {
|
||||||
|
set->ext_size -= sizeof(*c) + strlen(c->str) + 1;
|
||||||
kfree_rcu(c, rcu);
|
kfree_rcu(c, rcu);
|
||||||
rcu_assign_pointer(comment->c, NULL);
|
rcu_assign_pointer(comment->c, NULL);
|
||||||
}
|
}
|
||||||
|
@ -38,6 +39,7 @@ ip_set_init_comment(struct ip_set_comment *comment,
|
||||||
if (unlikely(!c))
|
if (unlikely(!c))
|
||||||
return;
|
return;
|
||||||
strlcpy(c->str, ext->comment, len + 1);
|
strlcpy(c->str, ext->comment, len + 1);
|
||||||
|
set->ext_size += sizeof(*c) + strlen(c->str) + 1;
|
||||||
rcu_assign_pointer(comment->c, c);
|
rcu_assign_pointer(comment->c, c);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -58,13 +60,14 @@ ip_set_put_comment(struct sk_buff *skb, const struct ip_set_comment *comment)
|
||||||
* of the set data anymore.
|
* of the set data anymore.
|
||||||
*/
|
*/
|
||||||
static inline void
|
static inline void
|
||||||
ip_set_comment_free(struct ip_set_comment *comment)
|
ip_set_comment_free(struct ip_set *set, struct ip_set_comment *comment)
|
||||||
{
|
{
|
||||||
struct ip_set_comment_rcu *c;
|
struct ip_set_comment_rcu *c;
|
||||||
|
|
||||||
c = rcu_dereference_protected(comment->c, 1);
|
c = rcu_dereference_protected(comment->c, 1);
|
||||||
if (unlikely(!c))
|
if (unlikely(!c))
|
||||||
return;
|
return;
|
||||||
|
set->ext_size -= sizeof(*c) + strlen(c->str) + 1;
|
||||||
kfree_rcu(c, rcu);
|
kfree_rcu(c, rcu);
|
||||||
rcu_assign_pointer(comment->c, NULL);
|
rcu_assign_pointer(comment->c, NULL);
|
||||||
}
|
}
|
||||||
|
|
|
@ -84,6 +84,7 @@ mtype_flush(struct ip_set *set)
|
||||||
mtype_ext_cleanup(set);
|
mtype_ext_cleanup(set);
|
||||||
memset(map->members, 0, map->memsize);
|
memset(map->members, 0, map->memsize);
|
||||||
set->elements = 0;
|
set->elements = 0;
|
||||||
|
set->ext_size = 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Calculate the actual memory size of the set data */
|
/* Calculate the actual memory size of the set data */
|
||||||
|
@ -99,7 +100,7 @@ mtype_head(struct ip_set *set, struct sk_buff *skb)
|
||||||
{
|
{
|
||||||
const struct mtype *map = set->data;
|
const struct mtype *map = set->data;
|
||||||
struct nlattr *nested;
|
struct nlattr *nested;
|
||||||
size_t memsize = mtype_memsize(map, set->dsize);
|
size_t memsize = mtype_memsize(map, set->dsize) + set->ext_size;
|
||||||
|
|
||||||
nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
|
nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
|
||||||
if (!nested)
|
if (!nested)
|
||||||
|
@ -173,7 +174,7 @@ mtype_add(struct ip_set *set, void *value, const struct ip_set_ext *ext,
|
||||||
if (SET_WITH_COUNTER(set))
|
if (SET_WITH_COUNTER(set))
|
||||||
ip_set_init_counter(ext_counter(x, set), ext);
|
ip_set_init_counter(ext_counter(x, set), ext);
|
||||||
if (SET_WITH_COMMENT(set))
|
if (SET_WITH_COMMENT(set))
|
||||||
ip_set_init_comment(ext_comment(x, set), ext);
|
ip_set_init_comment(set, ext_comment(x, set), ext);
|
||||||
if (SET_WITH_SKBINFO(set))
|
if (SET_WITH_SKBINFO(set))
|
||||||
ip_set_init_skbinfo(ext_skbinfo(x, set), ext);
|
ip_set_init_skbinfo(ext_skbinfo(x, set), ext);
|
||||||
|
|
||||||
|
|
|
@ -324,7 +324,7 @@ ip_set_get_ipaddr6(struct nlattr *nla, union nf_inet_addr *ipaddr)
|
||||||
}
|
}
|
||||||
EXPORT_SYMBOL_GPL(ip_set_get_ipaddr6);
|
EXPORT_SYMBOL_GPL(ip_set_get_ipaddr6);
|
||||||
|
|
||||||
typedef void (*destroyer)(void *);
|
typedef void (*destroyer)(struct ip_set *, void *);
|
||||||
/* ipset data extension types, in size order */
|
/* ipset data extension types, in size order */
|
||||||
|
|
||||||
const struct ip_set_ext_type ip_set_extensions[] = {
|
const struct ip_set_ext_type ip_set_extensions[] = {
|
||||||
|
|
|
@ -343,21 +343,13 @@ mtype_del_cidr(struct htype *h, u8 cidr, u8 nets_length, u8 n)
|
||||||
/* Calculate the actual memory size of the set data */
|
/* Calculate the actual memory size of the set data */
|
||||||
static size_t
|
static size_t
|
||||||
mtype_ahash_memsize(const struct htype *h, const struct htable *t,
|
mtype_ahash_memsize(const struct htype *h, const struct htable *t,
|
||||||
u8 nets_length, size_t dsize)
|
u8 nets_length)
|
||||||
{
|
{
|
||||||
u32 i;
|
|
||||||
struct hbucket *n;
|
|
||||||
size_t memsize = sizeof(*h) + sizeof(*t);
|
size_t memsize = sizeof(*h) + sizeof(*t);
|
||||||
|
|
||||||
#ifdef IP_SET_HASH_WITH_NETS
|
#ifdef IP_SET_HASH_WITH_NETS
|
||||||
memsize += sizeof(struct net_prefixes) * nets_length;
|
memsize += sizeof(struct net_prefixes) * nets_length;
|
||||||
#endif
|
#endif
|
||||||
for (i = 0; i < jhash_size(t->htable_bits); i++) {
|
|
||||||
n = rcu_dereference_bh(hbucket(t, i));
|
|
||||||
if (!n)
|
|
||||||
continue;
|
|
||||||
memsize += sizeof(struct hbucket) + n->size * dsize;
|
|
||||||
}
|
|
||||||
|
|
||||||
return memsize;
|
return memsize;
|
||||||
}
|
}
|
||||||
|
@ -400,6 +392,7 @@ mtype_flush(struct ip_set *set)
|
||||||
memset(h->nets, 0, sizeof(struct net_prefixes) * NLEN(set->family));
|
memset(h->nets, 0, sizeof(struct net_prefixes) * NLEN(set->family));
|
||||||
#endif
|
#endif
|
||||||
set->elements = 0;
|
set->elements = 0;
|
||||||
|
set->ext_size = 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Destroy the hashtable part of the set */
|
/* Destroy the hashtable part of the set */
|
||||||
|
@ -531,6 +524,7 @@ mtype_expire(struct ip_set *set, struct htype *h, u8 nets_length, size_t dsize)
|
||||||
d++;
|
d++;
|
||||||
}
|
}
|
||||||
tmp->pos = d;
|
tmp->pos = d;
|
||||||
|
set->ext_size -= AHASH_INIT_SIZE * dsize;
|
||||||
rcu_assign_pointer(hbucket(t, i), tmp);
|
rcu_assign_pointer(hbucket(t, i), tmp);
|
||||||
kfree_rcu(n, rcu);
|
kfree_rcu(n, rcu);
|
||||||
}
|
}
|
||||||
|
@ -562,7 +556,7 @@ mtype_resize(struct ip_set *set, bool retried)
|
||||||
struct htype *h = set->data;
|
struct htype *h = set->data;
|
||||||
struct htable *t, *orig;
|
struct htable *t, *orig;
|
||||||
u8 htable_bits;
|
u8 htable_bits;
|
||||||
size_t dsize = set->dsize;
|
size_t extsize, dsize = set->dsize;
|
||||||
#ifdef IP_SET_HASH_WITH_NETS
|
#ifdef IP_SET_HASH_WITH_NETS
|
||||||
u8 flags;
|
u8 flags;
|
||||||
struct mtype_elem *tmp;
|
struct mtype_elem *tmp;
|
||||||
|
@ -605,6 +599,7 @@ retry:
|
||||||
/* There can't be another parallel resizing, but dumping is possible */
|
/* There can't be another parallel resizing, but dumping is possible */
|
||||||
atomic_set(&orig->ref, 1);
|
atomic_set(&orig->ref, 1);
|
||||||
atomic_inc(&orig->uref);
|
atomic_inc(&orig->uref);
|
||||||
|
extsize = 0;
|
||||||
pr_debug("attempt to resize set %s from %u to %u, t %p\n",
|
pr_debug("attempt to resize set %s from %u to %u, t %p\n",
|
||||||
set->name, orig->htable_bits, htable_bits, orig);
|
set->name, orig->htable_bits, htable_bits, orig);
|
||||||
for (i = 0; i < jhash_size(orig->htable_bits); i++) {
|
for (i = 0; i < jhash_size(orig->htable_bits); i++) {
|
||||||
|
@ -635,6 +630,7 @@ retry:
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
}
|
}
|
||||||
m->size = AHASH_INIT_SIZE;
|
m->size = AHASH_INIT_SIZE;
|
||||||
|
extsize = sizeof(*m) + AHASH_INIT_SIZE * dsize;
|
||||||
RCU_INIT_POINTER(hbucket(t, key), m);
|
RCU_INIT_POINTER(hbucket(t, key), m);
|
||||||
} else if (m->pos >= m->size) {
|
} else if (m->pos >= m->size) {
|
||||||
struct hbucket *ht;
|
struct hbucket *ht;
|
||||||
|
@ -654,6 +650,7 @@ retry:
|
||||||
memcpy(ht, m, sizeof(struct hbucket) +
|
memcpy(ht, m, sizeof(struct hbucket) +
|
||||||
m->size * dsize);
|
m->size * dsize);
|
||||||
ht->size = m->size + AHASH_INIT_SIZE;
|
ht->size = m->size + AHASH_INIT_SIZE;
|
||||||
|
extsize += AHASH_INIT_SIZE * dsize;
|
||||||
kfree(m);
|
kfree(m);
|
||||||
m = ht;
|
m = ht;
|
||||||
RCU_INIT_POINTER(hbucket(t, key), ht);
|
RCU_INIT_POINTER(hbucket(t, key), ht);
|
||||||
|
@ -667,6 +664,7 @@ retry:
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
rcu_assign_pointer(h->table, t);
|
rcu_assign_pointer(h->table, t);
|
||||||
|
set->ext_size = extsize;
|
||||||
|
|
||||||
spin_unlock_bh(&set->lock);
|
spin_unlock_bh(&set->lock);
|
||||||
|
|
||||||
|
@ -740,6 +738,7 @@ mtype_add(struct ip_set *set, void *value, const struct ip_set_ext *ext,
|
||||||
if (!n)
|
if (!n)
|
||||||
return -ENOMEM;
|
return -ENOMEM;
|
||||||
n->size = AHASH_INIT_SIZE;
|
n->size = AHASH_INIT_SIZE;
|
||||||
|
set->ext_size += sizeof(*n) + AHASH_INIT_SIZE * set->dsize;
|
||||||
goto copy_elem;
|
goto copy_elem;
|
||||||
}
|
}
|
||||||
for (i = 0; i < n->pos; i++) {
|
for (i = 0; i < n->pos; i++) {
|
||||||
|
@ -803,6 +802,7 @@ mtype_add(struct ip_set *set, void *value, const struct ip_set_ext *ext,
|
||||||
memcpy(n, old, sizeof(struct hbucket) +
|
memcpy(n, old, sizeof(struct hbucket) +
|
||||||
old->size * set->dsize);
|
old->size * set->dsize);
|
||||||
n->size = old->size + AHASH_INIT_SIZE;
|
n->size = old->size + AHASH_INIT_SIZE;
|
||||||
|
set->ext_size += AHASH_INIT_SIZE * set->dsize;
|
||||||
}
|
}
|
||||||
|
|
||||||
copy_elem:
|
copy_elem:
|
||||||
|
@ -823,7 +823,7 @@ overwrite_extensions:
|
||||||
if (SET_WITH_COUNTER(set))
|
if (SET_WITH_COUNTER(set))
|
||||||
ip_set_init_counter(ext_counter(data, set), ext);
|
ip_set_init_counter(ext_counter(data, set), ext);
|
||||||
if (SET_WITH_COMMENT(set))
|
if (SET_WITH_COMMENT(set))
|
||||||
ip_set_init_comment(ext_comment(data, set), ext);
|
ip_set_init_comment(set, ext_comment(data, set), ext);
|
||||||
if (SET_WITH_SKBINFO(set))
|
if (SET_WITH_SKBINFO(set))
|
||||||
ip_set_init_skbinfo(ext_skbinfo(data, set), ext);
|
ip_set_init_skbinfo(ext_skbinfo(data, set), ext);
|
||||||
/* Must come last for the case when timed out entry is reused */
|
/* Must come last for the case when timed out entry is reused */
|
||||||
|
@ -895,6 +895,7 @@ mtype_del(struct ip_set *set, void *value, const struct ip_set_ext *ext,
|
||||||
k++;
|
k++;
|
||||||
}
|
}
|
||||||
if (n->pos == 0 && k == 0) {
|
if (n->pos == 0 && k == 0) {
|
||||||
|
set->ext_size -= sizeof(*n) + n->size * dsize;
|
||||||
rcu_assign_pointer(hbucket(t, key), NULL);
|
rcu_assign_pointer(hbucket(t, key), NULL);
|
||||||
kfree_rcu(n, rcu);
|
kfree_rcu(n, rcu);
|
||||||
} else if (k >= AHASH_INIT_SIZE) {
|
} else if (k >= AHASH_INIT_SIZE) {
|
||||||
|
@ -913,6 +914,7 @@ mtype_del(struct ip_set *set, void *value, const struct ip_set_ext *ext,
|
||||||
k++;
|
k++;
|
||||||
}
|
}
|
||||||
tmp->pos = k;
|
tmp->pos = k;
|
||||||
|
set->ext_size -= AHASH_INIT_SIZE * dsize;
|
||||||
rcu_assign_pointer(hbucket(t, key), tmp);
|
rcu_assign_pointer(hbucket(t, key), tmp);
|
||||||
kfree_rcu(n, rcu);
|
kfree_rcu(n, rcu);
|
||||||
}
|
}
|
||||||
|
@ -1061,7 +1063,7 @@ mtype_head(struct ip_set *set, struct sk_buff *skb)
|
||||||
|
|
||||||
rcu_read_lock_bh();
|
rcu_read_lock_bh();
|
||||||
t = rcu_dereference_bh_nfnl(h->table);
|
t = rcu_dereference_bh_nfnl(h->table);
|
||||||
memsize = mtype_ahash_memsize(h, t, NLEN(set->family), set->dsize);
|
memsize = mtype_ahash_memsize(h, t, NLEN(set->family)) + set->ext_size;
|
||||||
htable_bits = t->htable_bits;
|
htable_bits = t->htable_bits;
|
||||||
rcu_read_unlock_bh();
|
rcu_read_unlock_bh();
|
||||||
|
|
||||||
|
|
|
@ -228,7 +228,7 @@ list_set_init_extensions(struct ip_set *set, const struct ip_set_ext *ext,
|
||||||
if (SET_WITH_COUNTER(set))
|
if (SET_WITH_COUNTER(set))
|
||||||
ip_set_init_counter(ext_counter(e, set), ext);
|
ip_set_init_counter(ext_counter(e, set), ext);
|
||||||
if (SET_WITH_COMMENT(set))
|
if (SET_WITH_COMMENT(set))
|
||||||
ip_set_init_comment(ext_comment(e, set), ext);
|
ip_set_init_comment(set, ext_comment(e, set), ext);
|
||||||
if (SET_WITH_SKBINFO(set))
|
if (SET_WITH_SKBINFO(set))
|
||||||
ip_set_init_skbinfo(ext_skbinfo(e, set), ext);
|
ip_set_init_skbinfo(ext_skbinfo(e, set), ext);
|
||||||
/* Update timeout last */
|
/* Update timeout last */
|
||||||
|
@ -422,6 +422,7 @@ list_set_flush(struct ip_set *set)
|
||||||
list_for_each_entry_safe(e, n, &map->members, list)
|
list_for_each_entry_safe(e, n, &map->members, list)
|
||||||
list_set_del(set, e);
|
list_set_del(set, e);
|
||||||
set->elements = 0;
|
set->elements = 0;
|
||||||
|
set->ext_size = 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void
|
||||||
|
@ -467,7 +468,7 @@ list_set_head(struct ip_set *set, struct sk_buff *skb)
|
||||||
{
|
{
|
||||||
const struct list_set *map = set->data;
|
const struct list_set *map = set->data;
|
||||||
struct nlattr *nested;
|
struct nlattr *nested;
|
||||||
size_t memsize = list_set_memsize(map, set->dsize);
|
size_t memsize = list_set_memsize(map, set->dsize) + set->ext_size;
|
||||||
|
|
||||||
nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
|
nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
|
||||||
if (!nested)
|
if (!nested)
|
||||||
|
|
Loading…
Reference in New Issue