v3:
I failed to realize that nft_audit leaks one implementation detail
to userspace: the length of the transaction log.
This is bad, but I do not know if we can change things to make
nft_audit NOT do that. Hence add a new workaround patch that
inflates the length based on the number of set elements in the
container structure.
Also fix up notifications, for update case, notifications were
skipped but currently newsetelem notifications are done even if
existing set element is updated.
Most patches are unchanged.
"prefer nft_trans_elem_alloc helper" is already upstreamed so
its dropped from this batch.
v2: only change is in patch 3, and by extension, the last one:
During transaction abort, we need to handle an aggregate container to
contain both new set elements and updates. The latter must be
skipped, else we remove element that already existed at start of the
transaction.
original cover letter:
When doing a flush on a set or mass adding/removing elements from a
set, each element needs to allocate 96 bytes to hold the transactional
state.
In such cases, virtually all the information in struct nft_trans_elem
is the same.
Change nft_trans_elem to a flex-array, i.e. a single nft_trans_elem
can hold multiple set element pointers.
The number of elements that can be stored in one nft_trans_elem is limited
by the slab allocator, this series limits the compaction to at most 62
elements as it caps the reallocation to 2048 bytes of memory.
Florian Westphal (5):
netfilter: nf_tables: add nft_trans_commit_list_add_elem helper
netfilter: nf_tables: prepare for multiple elements in nft_trans_elem
structure
netfiler: nf_tables: preemitve fix for audit failure
netfilter: nf_tables: switch trans_elem to real flex array
netfilter: nf_tables: allocate element update information dynamically
include/net/netfilter/nf_tables.h | 25 +-
net/netfilter/nf_tables_api.c | 368 +++++++++++++++++++++++-------
2 files changed, 304 insertions(+), 89 deletions(-)
--
2.45.2
