netfilter: x_tables: remove XT_TABLE_INFO_SZ and a dereference.

After Florian patches, there is no need for XT_TABLE_INFO_SZ anymore :
Only one copy of table is kept, instead of one copy per cpu.

We also can avoid a dereference if we put table data right after
xt_table_info. It reduces register pressure and helps compiler.

Then, we attempt a kmalloc() if total size is under order-3 allocation,
to reduce TLB pressure, as in many cases, rules fit in 32 KB.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 9969d79dcde1825d5ea7b39934d3b827dbbc153c..95693c4cebdda473a2f3e427dcc2511e83bf7405 100644 (file)
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -225,12 +225,9 @@ struct xt_table_info {
        unsigned int __percpu *stackptr;
        void ***jumpstack;
 
-       /* Note : this field MUST be the last one, see XT_TABLE_INFO_SZ */
-       void *entries;
+       unsigned char entries[0] __aligned(8);
 };
 
-#define XT_TABLE_INFO_SZ (offsetof(struct xt_table_info, entries) \
-                         + nr_cpu_ids * sizeof(char *))
 int xt_register_target(struct xt_target *target);
 void xt_unregister_target(struct xt_target *target);
 int xt_register_targets(struct xt_target *target, unsigned int n);

diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index d75c139393fcfd879bade5b6a9d1b7fef53734f6..95c9b6eece25dfa8da28f8866dd7e55ec86b72e7 100644 (file)
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -256,7 +256,7 @@ unsigned int arpt_do_table(struct sk_buff *skb,
        const struct arphdr *arp;
        struct arpt_entry *e, *back;
        const char *indev, *outdev;
-       void *table_base;
+       const void *table_base;
        const struct xt_table_info *private;
        struct xt_action_param acpar;
        unsigned int addend;
@@ -868,7 +868,7 @@ static int compat_table_info(const struct xt_table_info *info,
                             struct xt_table_info *newinfo)
 {
        struct arpt_entry *iter;
-       void *loc_cpu_entry;
+       const void *loc_cpu_entry;
        int ret;
 
        if (!newinfo || !info)

diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 6151500c2df89bacaebb0b23e522af80f5659930..6c72fbb7b49eb97d3574fd8c10174f9580752911 100644 (file)
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -938,7 +938,7 @@ copy_entries_to_user(unsigned int total_size,
        struct xt_counters *counters;
        const struct xt_table_info *private = table->private;
        int ret = 0;
-       void *loc_cpu_entry;
+       const void *loc_cpu_entry;
 
        counters = alloc_counters(table);
        if (IS_ERR(counters))
@@ -1052,7 +1052,7 @@ static int compat_table_info(const struct xt_table_info *info,
                             struct xt_table_info *newinfo)
 {
        struct ipt_entry *iter;
-       void *loc_cpu_entry;
+       const void *loc_cpu_entry;
        int ret;
 
        if (!newinfo || !info)

diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 80a7f0d38aa4c98da60848058f2c43d36d3f280e..3c35ced39b42b48d3b81a2bfb8e448bd2dc02e17 100644 (file)
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -951,7 +951,7 @@ copy_entries_to_user(unsigned int total_size,
        struct xt_counters *counters;
        const struct xt_table_info *private = table->private;
        int ret = 0;
-       void *loc_cpu_entry;
+       const void *loc_cpu_entry;
 
        counters = alloc_counters(table);
        if (IS_ERR(counters))
@@ -1065,7 +1065,7 @@ static int compat_table_info(const struct xt_table_info *info,
                             struct xt_table_info *newinfo)
 {
        struct ip6t_entry *iter;
-       void *loc_cpu_entry;
+       const void *loc_cpu_entry;
        int ret;
 
        if (!newinfo || !info)

diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 6062ce3e862cedf9ca31794037ea5208e7e49bd3..d324fe71260c9f24b02507e4f429c0ba1e328d98 100644 (file)
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -658,29 +658,23 @@ EXPORT_SYMBOL_GPL(xt_compat_target_to_user);
 
 struct xt_table_info *xt_alloc_table_info(unsigned int size)
 {
-       struct xt_table_info *newinfo;
+       struct xt_table_info *info = NULL;
+       size_t sz = sizeof(*info) + size;
 
        /* Pedantry: prevent them from hitting BUG() in vmalloc.c --RR */
        if ((SMP_ALIGN(size) >> PAGE_SHIFT) + 2 > totalram_pages)
                return NULL;
 
-       newinfo = kzalloc(XT_TABLE_INFO_SZ, GFP_KERNEL);
-       if (!newinfo)
-               return NULL;
-
-       newinfo->size = size;
-
-       if (size <= PAGE_SIZE)
-               newinfo->entries = kmalloc(size, GFP_KERNEL);
-       else
-               newinfo->entries = vmalloc(size);
-
-       if (newinfo->entries == NULL) {
-               xt_free_table_info(newinfo);
-               return NULL;
+       if (sz <= (PAGE_SIZE << PAGE_ALLOC_COSTLY_ORDER))
+               info = kmalloc(sz, GFP_KERNEL | __GFP_NOWARN | __GFP_NORETRY);
+       if (!info) {
+               info = vmalloc(sz);
+               if (!info)
+                       return NULL;
        }
-
-       return newinfo;
+       memset(info, 0, sizeof(*info));
+       info->size = size;
+       return info;
 }
 EXPORT_SYMBOL(xt_alloc_table_info);
 
@@ -688,8 +682,6 @@ void xt_free_table_info(struct xt_table_info *info)
 {
        int cpu;
 
-       kvfree(info->entries);
-
        if (info->jumpstack != NULL) {
                for_each_possible_cpu(cpu)
                        kvfree(info->jumpstack[cpu]);
@@ -698,7 +690,7 @@ void xt_free_table_info(struct xt_table_info *info)
 
        free_percpu(info->stackptr);
 
-       kfree(info);
+       kvfree(info);
 }
 EXPORT_SYMBOL(xt_free_table_info);