[PATCH 00/14] netfilter: nf_tables: concatenation support

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The following patches add support for concatenations, which allow multi
dimensional exact matches in O(1).

The basic idea is to split the data registers, currently consisting of
4 registers of 16 bytes each, into smaller units, 16 registers of 4
bytes each, and making sure each register store always leaves the
full 32 bit in a well defined state, meaning smaller stores will
zero the remaining bits.

Based on that, we can load multiple adjacent registers with different
values, thereby building a concatenated bigger value, and use that
value for set lookups.

Sets are changed to use variable sized extensions for their key and
data values, removing the fixed limit of 16 bytes while saving memory
if less space is needed.

As a side effect, these patches will allow some nice optimizations in
the future, like using jhash2 in nft_hash, removing the masking in
nft_cmp_fast, optimized data comparison using 32 bit word size etc.
These are not done so far however.

The patches are split up as follows:

 * the first five patches add length validation to register loads and
   stores to make sure we stay within bounds and prepare the validation
   functions for the new addressing mode

 * the next patches prepare for changing to 32 bit addressing by
   introducing a struct nft_regs, which holds the verdict register as
   well as the data registers. The verdict members are moved to a new
   struct nft_verdict to allow to pull struct nft_data out of the stack.

 * the next patches contain preparatory conversions of expressions and
   sets to use 32 bit addressing

 * the next patch introduces so far unused register conversion helpers
   for parsing and dumping register numbers over netlink

 * following is the real conversion to 32 bit addressing, consisting of
   replacing struct nft_data in struct nft_regs by an array of u32s and
   actually translating and validating the new register numbers.

 * the final two patches add support for variable sized data items and
   variable sized keys / data in set elements

The patches have been verified to work correctly with nft binaries using
both old and new addressing.

Examples:

# MAC address filter
nft add set filter test { type ether_addr . ipv4_addr }
nft add element filter test {
	52:54:00:73:c0:55 . 192.168.122.128,
	...
}

nft filter input ether saddr . ip saddr @test counter

# Also works with dynamic set updates:
nft add set filter test { type ipv4_addr . inet_service; timeout 60s }

nft filter input set update ip daddr . tcp dport @test
nft filter output ip saddr . tcp sport @test counter


Please apply, thanks!


Patrick McHardy (14):
  netfilter: nf_tables: validate len in nft_validate_data_load()
  netfilter: nf_tables: rename nft_validate_data_load()
  netfilter: nft_lookup: use nft_validate_register_store() to validate types
  netfilter: nf_tables: kill nft_validate_output_register()
  netfilter: nf_tables: introduce nft_validate_register_load()
  netfilter: nf_tables: get rid of NFT_REG_VERDICT usage
  netfilter: nf_tables: use struct nft_verdict within struct nft_data
  netfilter: nf_tables: convert expressions to u32 register pointers
  netfilter: nf_tables: kill nft_data_cmp()
  netfilter: nf_tables: convert sets to u32 data pointers
  netfilter: nf_tables: add register parsing/dumping helpers
  netfilter: nf_tables: switch registers to 32 bit addressing
  netfilter: nf_tables: support variable sized data in nft_data_init()
  netfilter: nf_tables: variable sized set element keys / data

 include/net/netfilter/nf_tables.h        |  79 +++++++-----
 include/net/netfilter/nft_meta.h         |   4 +-
 include/uapi/linux/netfilter/nf_tables.h |  34 +++++-
 net/bridge/netfilter/nft_meta_bridge.c   |  26 ++--
 net/bridge/netfilter/nft_reject_bridge.c |   6 +-
 net/ipv4/netfilter/nft_masq_ipv4.c       |   9 +-
 net/ipv4/netfilter/nft_redir_ipv4.c      |  11 +-
 net/ipv4/netfilter/nft_reject_ipv4.c     |   4 +-
 net/ipv6/netfilter/nft_masq_ipv6.c       |   7 +-
 net/ipv6/netfilter/nft_redir_ipv6.c      |  11 +-
 net/ipv6/netfilter/nft_reject_ipv6.c     |   4 +-
 net/netfilter/nf_tables_api.c            | 198 +++++++++++++++++++------------
 net/netfilter/nf_tables_core.c           |  41 +++----
 net/netfilter/nft_bitwise.c              |  37 +++---
 net/netfilter/nft_byteorder.c            |  40 +++----
 net/netfilter/nft_cmp.c                  |  44 +++----
 net/netfilter/nft_compat.c               |  14 +--
 net/netfilter/nft_counter.c              |   2 +-
 net/netfilter/nft_ct.c                   | 110 +++++++++++------
 net/netfilter/nft_dynset.c               |  25 ++--
 net/netfilter/nft_exthdr.c               |  23 ++--
 net/netfilter/nft_hash.c                 |  19 ++-
 net/netfilter/nft_immediate.c            |  18 ++-
 net/netfilter/nft_limit.c                |   4 +-
 net/netfilter/nft_log.c                  |   2 +-
 net/netfilter/nft_lookup.c               |  28 ++---
 net/netfilter/nft_meta.c                 | 107 +++++++++--------
 net/netfilter/nft_nat.c                  |  71 ++++++-----
 net/netfilter/nft_payload.c              |  24 ++--
 net/netfilter/nft_queue.c                |   4 +-
 net/netfilter/nft_rbtree.c               |  15 ++-
 net/netfilter/nft_redir.c                |  19 +--
 net/netfilter/nft_reject_inet.c          |   5 +-
 33 files changed, 580 insertions(+), 465 deletions(-)

-- 
2.1.0

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux