Skip to content

Commit 0a20214

Browse files
Florian Westphalummakynes
Florian Westphal
authored and
ummakynes
committed
netfilter: nf_tables: do not store verdict in traceinfo structure
Just pass it as argument to nft_trace_notify. Stack is reduced by 8 bytes: nf_tables_core.c:256 nft_do_chain 312 static Signed-off-by: Florian Westphal <[email protected]> Signed-off-by: Pablo Neira Ayuso <[email protected]>
1 parent 698bb82 commit 0a20214

File tree

3 files changed

+20
-19
lines changed

3 files changed

+20
-19
lines changed

include/net/netfilter/nf_tables.h

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1410,7 +1410,6 @@ void nft_unregister_flowtable_type(struct nf_flowtable_type *type);
14101410
* @packet_dumped: packet headers sent in a previous traceinfo message
14111411
* @basechain: base chain currently processed
14121412
* @rule: rule that was evaluated
1413-
* @verdict: verdict given by rule
14141413
*/
14151414
struct nft_traceinfo {
14161415
bool trace;
@@ -1420,14 +1419,13 @@ struct nft_traceinfo {
14201419
u32 skbid;
14211420
const struct nft_base_chain *basechain;
14221421
const struct nft_rule_dp *rule;
1423-
const struct nft_verdict *verdict;
14241422
};
14251423

14261424
void nft_trace_init(struct nft_traceinfo *info, const struct nft_pktinfo *pkt,
1427-
const struct nft_verdict *verdict,
14281425
const struct nft_chain *basechain);
14291426

14301427
void nft_trace_notify(const struct nft_pktinfo *pkt,
1428+
const struct nft_verdict *verdict,
14311429
struct nft_traceinfo *info);
14321430

14331431
#define MODULE_ALIAS_NFT_CHAIN(family, name) \

net/netfilter/nf_tables_core.c

Lines changed: 8 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -42,6 +42,7 @@ static inline void nf_skip_indirect_calls_enable(void) { }
4242
#endif
4343

4444
static noinline void __nft_trace_packet(const struct nft_pktinfo *pkt,
45+
const struct nft_verdict *verdict,
4546
struct nft_traceinfo *info,
4647
enum nft_trace_types type)
4748
{
@@ -50,18 +51,19 @@ static noinline void __nft_trace_packet(const struct nft_pktinfo *pkt,
5051

5152
info->type = type;
5253

53-
nft_trace_notify(pkt, info);
54+
nft_trace_notify(pkt, verdict, info);
5455
}
5556

5657
static inline void nft_trace_packet(const struct nft_pktinfo *pkt,
58+
struct nft_verdict *verdict,
5759
struct nft_traceinfo *info,
5860
const struct nft_rule_dp *rule,
5961
enum nft_trace_types type)
6062
{
6163
if (static_branch_unlikely(&nft_trace_enabled)) {
6264
info->nf_trace = pkt->skb->nf_trace;
6365
info->rule = rule;
64-
__nft_trace_packet(pkt, info, type);
66+
__nft_trace_packet(pkt, verdict, info, type);
6567
}
6668
}
6769

@@ -129,7 +131,7 @@ static noinline void __nft_trace_verdict(const struct nft_pktinfo *pkt,
129131
break;
130132
}
131133

132-
__nft_trace_packet(pkt, info, type);
134+
__nft_trace_packet(pkt, &regs->verdict, info, type);
133135
}
134136

135137
static inline void nft_trace_verdict(const struct nft_pktinfo *pkt,
@@ -264,7 +266,7 @@ nft_do_chain(struct nft_pktinfo *pkt, void *priv)
264266

265267
info.trace = false;
266268
if (static_branch_unlikely(&nft_trace_enabled))
267-
nft_trace_init(&info, pkt, &regs.verdict, basechain);
269+
nft_trace_init(&info, pkt, basechain);
268270
do_chain:
269271
if (genbit)
270272
blob = rcu_dereference(chain->blob_gen_1);
@@ -296,7 +298,7 @@ nft_do_chain(struct nft_pktinfo *pkt, void *priv)
296298
nft_trace_copy_nftrace(pkt, &info);
297299
continue;
298300
case NFT_CONTINUE:
299-
nft_trace_packet(pkt, &info, rule,
301+
nft_trace_packet(pkt, &regs.verdict, &info, rule,
300302
NFT_TRACETYPE_RULE);
301303
continue;
302304
}
@@ -336,7 +338,7 @@ nft_do_chain(struct nft_pktinfo *pkt, void *priv)
336338
goto next_rule;
337339
}
338340

339-
nft_trace_packet(pkt, &info, NULL, NFT_TRACETYPE_POLICY);
341+
nft_trace_packet(pkt, &regs.verdict, &info, NULL, NFT_TRACETYPE_POLICY);
340342

341343
if (static_branch_unlikely(&nft_counters_enabled))
342344
nft_update_chain_stats(basechain, pkt);

net/netfilter/nf_tables_trace.c

Lines changed: 11 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -124,6 +124,7 @@ static int nf_trace_fill_pkt_info(struct sk_buff *nlskb,
124124
}
125125

126126
static int nf_trace_fill_rule_info(struct sk_buff *nlskb,
127+
const struct nft_verdict *verdict,
127128
const struct nft_traceinfo *info)
128129
{
129130
if (!info->rule || info->rule->is_last)
@@ -135,15 +136,16 @@ static int nf_trace_fill_rule_info(struct sk_buff *nlskb,
135136
* Since no rule matched, the ->rule pointer is invalid.
136137
*/
137138
if (info->type == NFT_TRACETYPE_RETURN &&
138-
info->verdict->code == NFT_CONTINUE)
139+
verdict->code == NFT_CONTINUE)
139140
return 0;
140141

141142
return nla_put_be64(nlskb, NFTA_TRACE_RULE_HANDLE,
142143
cpu_to_be64(info->rule->handle),
143144
NFTA_TRACE_PAD);
144145
}
145146

146-
static bool nft_trace_have_verdict_chain(struct nft_traceinfo *info)
147+
static bool nft_trace_have_verdict_chain(const struct nft_verdict *verdict,
148+
struct nft_traceinfo *info)
147149
{
148150
switch (info->type) {
149151
case NFT_TRACETYPE_RETURN:
@@ -153,7 +155,7 @@ static bool nft_trace_have_verdict_chain(struct nft_traceinfo *info)
153155
return false;
154156
}
155157

156-
switch (info->verdict->code) {
158+
switch (verdict->code) {
157159
case NFT_JUMP:
158160
case NFT_GOTO:
159161
break;
@@ -184,6 +186,7 @@ static const struct nft_chain *nft_trace_get_chain(const struct nft_traceinfo *i
184186
}
185187

186188
void nft_trace_notify(const struct nft_pktinfo *pkt,
189+
const struct nft_verdict *verdict,
187190
struct nft_traceinfo *info)
188191
{
189192
const struct nft_chain *chain;
@@ -217,8 +220,8 @@ void nft_trace_notify(const struct nft_pktinfo *pkt,
217220
nla_total_size(sizeof(u32)) + /* nfproto */
218221
nla_total_size(sizeof(u32)); /* policy */
219222

220-
if (nft_trace_have_verdict_chain(info))
221-
size += nla_total_size(strlen(info->verdict->chain->name)); /* jump target */
223+
if (nft_trace_have_verdict_chain(verdict, info))
224+
size += nla_total_size(strlen(verdict->chain->name)); /* jump target */
222225

223226
skb = nlmsg_new(size, GFP_ATOMIC);
224227
if (!skb)
@@ -245,7 +248,7 @@ void nft_trace_notify(const struct nft_pktinfo *pkt,
245248
if (nla_put_string(skb, NFTA_TRACE_TABLE, chain->table->name))
246249
goto nla_put_failure;
247250

248-
if (nf_trace_fill_rule_info(skb, info))
251+
if (nf_trace_fill_rule_info(skb, verdict, info))
249252
goto nla_put_failure;
250253

251254
switch (info->type) {
@@ -254,11 +257,11 @@ void nft_trace_notify(const struct nft_pktinfo *pkt,
254257
break;
255258
case NFT_TRACETYPE_RETURN:
256259
case NFT_TRACETYPE_RULE:
257-
if (nft_verdict_dump(skb, NFTA_TRACE_VERDICT, info->verdict))
260+
if (nft_verdict_dump(skb, NFTA_TRACE_VERDICT, verdict))
258261
goto nla_put_failure;
259262

260263
/* pkt->skb undefined iff NF_STOLEN, disable dump */
261-
if (info->verdict->code == NF_STOLEN)
264+
if (verdict->code == NF_STOLEN)
262265
info->packet_dumped = true;
263266
else
264267
mark = pkt->skb->mark;
@@ -295,7 +298,6 @@ void nft_trace_notify(const struct nft_pktinfo *pkt,
295298
}
296299

297300
void nft_trace_init(struct nft_traceinfo *info, const struct nft_pktinfo *pkt,
298-
const struct nft_verdict *verdict,
299301
const struct nft_chain *chain)
300302
{
301303
static siphash_key_t trace_key __read_mostly;
@@ -305,7 +307,6 @@ void nft_trace_init(struct nft_traceinfo *info, const struct nft_pktinfo *pkt,
305307
info->trace = true;
306308
info->nf_trace = pkt->skb->nf_trace;
307309
info->packet_dumped = false;
308-
info->verdict = verdict;
309310

310311
net_get_random_once(&trace_key, sizeof(trace_key));
311312

0 commit comments

Comments
 (0)