On Thu, May 12, 2022 at 02:34:11PM +0200, Pablo Neira Ayuso wrote:
> On Thu, May 12, 2022 at 02:30:02PM +0200, Phil Sutter wrote:
> > Allow dumping some info bits about expressions to user space.
> >
> > Signed-off-by: Phil Sutter <phil@xxxxxx>
> > ---
> > include/net/netfilter/nf_tables.h | 1 +
> > include/uapi/linux/netfilter/nf_tables.h | 1 +
> > net/netfilter/nf_tables_api.c | 4 ++++
> > 3 files changed, 6 insertions(+)
> >
> > diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
> > index 20af9d3557b9d..78db54737de00 100644
> > --- a/include/net/netfilter/nf_tables.h
> > +++ b/include/net/netfilter/nf_tables.h
> > @@ -346,6 +346,7 @@ struct nft_set_estimate {
> > */
> > struct nft_expr {
> > const struct nft_expr_ops *ops;
> > + u32 flags;
>
> Could you add a new structure? Add struct nft_expr_dp and use it from
> nft_rule_dp, so it is only the control plan representation that stores
> this flag.
>
> It will be a bit more work, but I think it is worth to keep the size
> of the datapath representation as small as possible.
Sounds reasonable, but will get ugly: expr->ops->size includes struct
nft_expr size already, also real per-expr size is aligned to that
struct's size.
We could make expr->ops->size the real (unaligned) size value and change
size calculation in nf_tables_newrule() to add struct and alignment.
Then nf_tables_commit_chain_prepare() could iterate over the rule's
expressions and do its own size calculation for chain->blob_next size.
Do you see a better way to solve this?
Thanks, Phil
