tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

netfilter: nf_tables: don't store address of last rule on jump

Walk the rule headers until the trailer one (last_bit flag set) instead
of stopping at last_rule address.

This avoids the need to store the address when jumping to another chain.

This cuts size of jumpstack array by one third, on 64bit from
384 to 256 bytes. Still, stack usage is still quite large:

scripts/stackusage:
nf_tables_core.c:258 nft_do_chain 496 static

Next patch will also remove chain pointer.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

authored by

Florian Westphal and committed by
Pablo Neira Ayuso d4d89e65 e38fbfa9

+2 -6
+2 -6
net/netfilter/nf_tables_core.c
··· 205 205 struct nft_jumpstack { 206 206 const struct nft_chain *chain; 207 207 const struct nft_rule_dp *rule; 208 - const struct nft_rule_dp *last_rule; 209 208 }; 210 209 211 210 static void expr_call_ops_eval(const struct nft_expr *expr, ··· 258 259 nft_do_chain(struct nft_pktinfo *pkt, void *priv) 259 260 { 260 261 const struct nft_chain *chain = priv, *basechain = chain; 261 - const struct nft_rule_dp *rule, *last_rule; 262 262 const struct net *net = nft_net(pkt); 263 263 const struct nft_expr *expr, *last; 264 + const struct nft_rule_dp *rule; 264 265 struct nft_regs regs = {}; 265 266 unsigned int stackptr = 0; 266 267 struct nft_jumpstack jumpstack[NFT_JUMP_STACK_SIZE]; ··· 278 279 blob = rcu_dereference(chain->blob_gen_0); 279 280 280 281 rule = (struct nft_rule_dp *)blob->data; 281 - last_rule = (void *)blob->data + blob->size; 282 282 next_rule: 283 283 regs.verdict.code = NFT_CONTINUE; 284 - for (; rule < last_rule; rule = nft_rule_next(rule)) { 284 + for (; !rule->is_last ; rule = nft_rule_next(rule)) { 285 285 nft_rule_dp_for_each_expr(expr, last, rule) { 286 286 if (expr->ops == &nft_cmp_fast_ops) 287 287 nft_cmp_fast_eval(expr, &regs); ··· 325 327 return NF_DROP; 326 328 jumpstack[stackptr].chain = chain; 327 329 jumpstack[stackptr].rule = nft_rule_next(rule); 328 - jumpstack[stackptr].last_rule = last_rule; 329 330 stackptr++; 330 331 fallthrough; 331 332 case NFT_GOTO: ··· 341 344 stackptr--; 342 345 chain = jumpstack[stackptr].chain; 343 346 rule = jumpstack[stackptr].rule; 344 - last_rule = jumpstack[stackptr].last_rule; 345 347 goto next_rule; 346 348 } 347 349