Re: netfilter: ipset: Properly calculate extensions offsets and total length

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 16 Mar 2015, Sergey Popovich wrote:

> Offsets and total length returned by the ip_set_elem_len()
> calculated incorrectly as initial set element length (i.e.
> len parameter) is used multiple times in offset calculations,
> also affecting set element total length.
> 
> Use initial set element length as start offset, do not add aligned
> extension offset to the offset. Return offset as total length of
> the set element.
> 
> This reduces memory requirements on per element basic for the
> hash:* type of sets.
> 
> For example output from 'ipset -terse list test-1' on 64-bit PC,
> where test-1 is generated via following script:
> 
>   #!/bin/bash
> 
>   set_name='test-1'
> 
>   ipset create "$set_name" hash:net family inet \
>               timeout 10800 counters comment \
>               hashsize 65536 maxelem 65536
> 
>   declare -i o3 o4
>   fmt="add $set_name 192.168.%u.%u\n"
> 
>   for ((o3 = 0; o3 < 256; o3++)); do
>       for ((o4 = 0; o4 < 256; o4++)); do
>           printf "$fmt" $o3 $o4
>       done
>   done |ipset -exist restore
> 
> BEFORE this patch is applied
> 
>   # ipset -terse list test-1
>   Name: test-1
>   Type: hash:net
>   Revision: 6
>   Header: family inet hashsize 65536 maxelem 65536
> timeout 10800 counters comment
>   Size in memory: 26348440
> 
> and AFTER applying patch
> 
>   # ipset -terse list test-1
>   Name: test-1
>   Type: hash:net
>   Revision: 6
>   Header: family inet hashsize 65536 maxelem 65536
> timeout 10800 counters comment
>   Size in memory: 7706392
>   References: 0
> 
> Signed-off-by: Sergey Popovich <popovich_sergei@xxxxxxx>

Good catch, you are right. Patch is applied.

Best regards,
Jozsef

> ---
>  net/netfilter/ipset/ip_set_core.c |    6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
> index d259da3..fb1f2b4 100644
> --- a/net/netfilter/ipset/ip_set_core.c
> +++ b/net/netfilter/ipset/ip_set_core.c
> @@ -365,7 +365,7 @@ size_t
>  ip_set_elem_len(struct ip_set *set, struct nlattr *tb[], size_t len)
>  {
>  	enum ip_set_ext_id id;
> -	size_t offset = 0;
> +	size_t offset = len;
>  	u32 cadt_flags = 0;
>  
>  	if (tb[IPSET_ATTR_CADT_FLAGS])
> @@ -375,12 +375,12 @@ ip_set_elem_len(struct ip_set *set, struct nlattr *tb[], size_t len)
>  	for (id = 0; id < IPSET_EXT_ID_MAX; id++) {
>  		if (!add_extension(id, cadt_flags, tb))
>  			continue;
> -		offset += ALIGN(len + offset, ip_set_extensions[id].align);
> +		offset = ALIGN(offset, ip_set_extensions[id].align);
>  		set->offset[id] = offset;
>  		set->extensions |= ip_set_extensions[id].type;
>  		offset += ip_set_extensions[id].len;
>  	}
> -	return len + offset;
> +	return offset;
>  }
>  EXPORT_SYMBOL_GPL(ip_set_elem_len);
>  
> -- 
> 1.7.10.4
> 
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

-
E-mail  : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxxxxxx
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux