On Wed, Oct 16, 2024 at 03:19:07PM +0200, Florian Westphal wrote: > v3: > I failed to realize that nft_audit leaks one implementation detail > to userspace: the length of the transaction log. > > This is bad, but I do not know if we can change things to make > nft_audit NOT do that. Hence add a new workaround patch that > inflates the length based on the number of set elements in the > container structure. It actually shows the number of entries that have been updated, right? Before this series, there was a 1:1 mapping between transaction and objects so it was easier to infer it from the number of transaction objects. > Also fix up notifications, for update case, notifications were > skipped but currently newsetelem notifications are done even if > existing set element is updated. > > Most patches are unchanged. > "prefer nft_trans_elem_alloc helper" is already upstreamed so > its dropped from this batch. > > > v2: only change is in patch 3, and by extension, the last one: > During transaction abort, we need to handle an aggregate container to > contain both new set elements and updates. The latter must be > skipped, else we remove element that already existed at start of the > transaction. > > original cover letter: > > When doing a flush on a set or mass adding/removing elements from a > set, each element needs to allocate 96 bytes to hold the transactional > state. > > In such cases, virtually all the information in struct nft_trans_elem > is the same. > > Change nft_trans_elem to a flex-array, i.e. a single nft_trans_elem > can hold multiple set element pointers. > > The number of elements that can be stored in one nft_trans_elem is limited > by the slab allocator, this series limits the compaction to at most 62 > elements as it caps the reallocation to 2048 bytes of memory. > > > > Florian Westphal (5): > netfilter: nf_tables: add nft_trans_commit_list_add_elem helper > netfilter: nf_tables: prepare for multiple elements in nft_trans_elem > structure > netfiler: nf_tables: preemitve fix for audit failure > netfilter: nf_tables: switch trans_elem to real flex array > netfilter: nf_tables: allocate element update information dynamically > > include/net/netfilter/nf_tables.h | 25 +- > net/netfilter/nf_tables_api.c | 368 +++++++++++++++++++++++------- > 2 files changed, 304 insertions(+), 89 deletions(-) > > -- > 2.45.2 > >
