Skip to content

Commit 633c9a8

Browse files
ummakynesummakynes
committed
netfilter: nfnetlink: avoid recurrent netns lookups in call_batch
Pass the net pointer to the call_batch callback functions so we can skip recurrent lookups. Signed-off-by: Pablo Neira Ayuso <[email protected]> Tested-by: Arturo Borrero Gonzalez <[email protected]>
1 parent 639e077 commit 633c9a8

File tree

3 files changed

+47
-53
lines changed

3 files changed

+47
-53
lines changed

include/linux/netfilter/nfnetlink.h

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ struct nfnl_callback {
1414
int (*call_rcu)(struct sock *nl, struct sk_buff *skb,
1515
const struct nlmsghdr *nlh,
1616
const struct nlattr * const cda[]);
17-
int (*call_batch)(struct sock *nl, struct sk_buff *skb,
17+
int (*call_batch)(struct net *net, struct sock *nl, struct sk_buff *skb,
1818
const struct nlmsghdr *nlh,
1919
const struct nlattr * const cda[]);
2020
const struct nla_policy *policy; /* netlink attribute policy */

net/netfilter/nf_tables_api.c

Lines changed: 45 additions & 51 deletions
Original file line numberDiff line numberDiff line change
@@ -89,14 +89,15 @@ nf_tables_afinfo_lookup(struct net *net, int family, bool autoload)
8989
}
9090

9191
static void nft_ctx_init(struct nft_ctx *ctx,
92+
struct net *net,
9293
const struct sk_buff *skb,
9394
const struct nlmsghdr *nlh,
9495
struct nft_af_info *afi,
9596
struct nft_table *table,
9697
struct nft_chain *chain,
9798
const struct nlattr * const *nla)
9899
{
99-
ctx->net = sock_net(skb->sk);
100+
ctx->net = net;
100101
ctx->afi = afi;
101102
ctx->table = table;
102103
ctx->chain = chain;
@@ -672,15 +673,14 @@ static int nf_tables_updtable(struct nft_ctx *ctx)
672673
return ret;
673674
}
674675

675-
static int nf_tables_newtable(struct sock *nlsk, struct sk_buff *skb,
676-
const struct nlmsghdr *nlh,
676+
static int nf_tables_newtable(struct net *net, struct sock *nlsk,
677+
struct sk_buff *skb, const struct nlmsghdr *nlh,
677678
const struct nlattr * const nla[])
678679
{
679680
const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
680681
const struct nlattr *name;
681682
struct nft_af_info *afi;
682683
struct nft_table *table;
683-
struct net *net = sock_net(skb->sk);
684684
int family = nfmsg->nfgen_family;
685685
u32 flags = 0;
686686
struct nft_ctx ctx;
@@ -706,7 +706,7 @@ static int nf_tables_newtable(struct sock *nlsk, struct sk_buff *skb,
706706
if (nlh->nlmsg_flags & NLM_F_REPLACE)
707707
return -EOPNOTSUPP;
708708

709-
nft_ctx_init(&ctx, skb, nlh, afi, table, NULL, nla);
709+
nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
710710
return nf_tables_updtable(&ctx);
711711
}
712712

@@ -730,7 +730,7 @@ static int nf_tables_newtable(struct sock *nlsk, struct sk_buff *skb,
730730
INIT_LIST_HEAD(&table->sets);
731731
table->flags = flags;
732732

733-
nft_ctx_init(&ctx, skb, nlh, afi, table, NULL, nla);
733+
nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
734734
err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
735735
if (err < 0)
736736
goto err3;
@@ -810,18 +810,17 @@ static int nft_flush(struct nft_ctx *ctx, int family)
810810
return err;
811811
}
812812

813-
static int nf_tables_deltable(struct sock *nlsk, struct sk_buff *skb,
814-
const struct nlmsghdr *nlh,
813+
static int nf_tables_deltable(struct net *net, struct sock *nlsk,
814+
struct sk_buff *skb, const struct nlmsghdr *nlh,
815815
const struct nlattr * const nla[])
816816
{
817817
const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
818818
struct nft_af_info *afi;
819819
struct nft_table *table;
820-
struct net *net = sock_net(skb->sk);
821820
int family = nfmsg->nfgen_family;
822821
struct nft_ctx ctx;
823822

824-
nft_ctx_init(&ctx, skb, nlh, NULL, NULL, NULL, nla);
823+
nft_ctx_init(&ctx, net, skb, nlh, NULL, NULL, NULL, nla);
825824
if (family == AF_UNSPEC || nla[NFTA_TABLE_NAME] == NULL)
826825
return nft_flush(&ctx, family);
827826

@@ -1221,8 +1220,8 @@ static void nf_tables_chain_destroy(struct nft_chain *chain)
12211220
}
12221221
}
12231222

1224-
static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
1225-
const struct nlmsghdr *nlh,
1223+
static int nf_tables_newchain(struct net *net, struct sock *nlsk,
1224+
struct sk_buff *skb, const struct nlmsghdr *nlh,
12261225
const struct nlattr * const nla[])
12271226
{
12281227
const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
@@ -1232,7 +1231,6 @@ static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
12321231
struct nft_chain *chain;
12331232
struct nft_base_chain *basechain = NULL;
12341233
struct nlattr *ha[NFTA_HOOK_MAX + 1];
1235-
struct net *net = sock_net(skb->sk);
12361234
int family = nfmsg->nfgen_family;
12371235
struct net_device *dev = NULL;
12381236
u8 policy = NF_ACCEPT;
@@ -1313,7 +1311,7 @@ static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
13131311
return PTR_ERR(stats);
13141312
}
13151313

1316-
nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
1314+
nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
13171315
trans = nft_trans_alloc(&ctx, NFT_MSG_NEWCHAIN,
13181316
sizeof(struct nft_trans_chain));
13191317
if (trans == NULL) {
@@ -1461,7 +1459,7 @@ static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
14611459
if (err < 0)
14621460
goto err1;
14631461

1464-
nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
1462+
nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
14651463
err = nft_trans_chain_add(&ctx, NFT_MSG_NEWCHAIN);
14661464
if (err < 0)
14671465
goto err2;
@@ -1476,15 +1474,14 @@ static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
14761474
return err;
14771475
}
14781476

1479-
static int nf_tables_delchain(struct sock *nlsk, struct sk_buff *skb,
1480-
const struct nlmsghdr *nlh,
1477+
static int nf_tables_delchain(struct net *net, struct sock *nlsk,
1478+
struct sk_buff *skb, const struct nlmsghdr *nlh,
14811479
const struct nlattr * const nla[])
14821480
{
14831481
const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
14841482
struct nft_af_info *afi;
14851483
struct nft_table *table;
14861484
struct nft_chain *chain;
1487-
struct net *net = sock_net(skb->sk);
14881485
int family = nfmsg->nfgen_family;
14891486
struct nft_ctx ctx;
14901487

@@ -1506,7 +1503,7 @@ static int nf_tables_delchain(struct sock *nlsk, struct sk_buff *skb,
15061503
if (chain->use > 0)
15071504
return -EBUSY;
15081505

1509-
nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
1506+
nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
15101507

15111508
return nft_delchain(&ctx);
15121509
}
@@ -2010,13 +2007,12 @@ static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
20102007

20112008
static struct nft_expr_info *info;
20122009

2013-
static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
2014-
const struct nlmsghdr *nlh,
2010+
static int nf_tables_newrule(struct net *net, struct sock *nlsk,
2011+
struct sk_buff *skb, const struct nlmsghdr *nlh,
20152012
const struct nlattr * const nla[])
20162013
{
20172014
const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
20182015
struct nft_af_info *afi;
2019-
struct net *net = sock_net(skb->sk);
20202016
struct nft_table *table;
20212017
struct nft_chain *chain;
20222018
struct nft_rule *rule, *old_rule = NULL;
@@ -2075,7 +2071,7 @@ static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
20752071
return PTR_ERR(old_rule);
20762072
}
20772073

2078-
nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
2074+
nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
20792075

20802076
n = 0;
20812077
size = 0;
@@ -2176,13 +2172,12 @@ static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
21762172
return err;
21772173
}
21782174

2179-
static int nf_tables_delrule(struct sock *nlsk, struct sk_buff *skb,
2180-
const struct nlmsghdr *nlh,
2175+
static int nf_tables_delrule(struct net *net, struct sock *nlsk,
2176+
struct sk_buff *skb, const struct nlmsghdr *nlh,
21812177
const struct nlattr * const nla[])
21822178
{
21832179
const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
21842180
struct nft_af_info *afi;
2185-
struct net *net = sock_net(skb->sk);
21862181
struct nft_table *table;
21872182
struct nft_chain *chain = NULL;
21882183
struct nft_rule *rule;
@@ -2205,7 +2200,7 @@ static int nf_tables_delrule(struct sock *nlsk, struct sk_buff *skb,
22052200
return PTR_ERR(chain);
22062201
}
22072202

2208-
nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
2203+
nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
22092204

22102205
if (chain) {
22112206
if (nla[NFTA_RULE_HANDLE]) {
@@ -2344,12 +2339,11 @@ static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
23442339
[NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
23452340
};
23462341

2347-
static int nft_ctx_init_from_setattr(struct nft_ctx *ctx,
2342+
static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
23482343
const struct sk_buff *skb,
23492344
const struct nlmsghdr *nlh,
23502345
const struct nlattr * const nla[])
23512346
{
2352-
struct net *net = sock_net(skb->sk);
23532347
const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
23542348
struct nft_af_info *afi = NULL;
23552349
struct nft_table *table = NULL;
@@ -2371,7 +2365,7 @@ static int nft_ctx_init_from_setattr(struct nft_ctx *ctx,
23712365
return -ENOENT;
23722366
}
23732367

2374-
nft_ctx_init(ctx, skb, nlh, afi, table, NULL, nla);
2368+
nft_ctx_init(ctx, net, skb, nlh, afi, table, NULL, nla);
23752369
return 0;
23762370
}
23772371

@@ -2623,14 +2617,15 @@ static int nf_tables_getset(struct sock *nlsk, struct sk_buff *skb,
26232617
const struct nlmsghdr *nlh,
26242618
const struct nlattr * const nla[])
26252619
{
2620+
struct net *net = sock_net(skb->sk);
26262621
const struct nft_set *set;
26272622
struct nft_ctx ctx;
26282623
struct sk_buff *skb2;
26292624
const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
26302625
int err;
26312626

26322627
/* Verify existence before starting dump */
2633-
err = nft_ctx_init_from_setattr(&ctx, skb, nlh, nla);
2628+
err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla);
26342629
if (err < 0)
26352630
return err;
26362631

@@ -2693,14 +2688,13 @@ static int nf_tables_set_desc_parse(const struct nft_ctx *ctx,
26932688
return 0;
26942689
}
26952690

2696-
static int nf_tables_newset(struct sock *nlsk, struct sk_buff *skb,
2697-
const struct nlmsghdr *nlh,
2691+
static int nf_tables_newset(struct net *net, struct sock *nlsk,
2692+
struct sk_buff *skb, const struct nlmsghdr *nlh,
26982693
const struct nlattr * const nla[])
26992694
{
27002695
const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
27012696
const struct nft_set_ops *ops;
27022697
struct nft_af_info *afi;
2703-
struct net *net = sock_net(skb->sk);
27042698
struct nft_table *table;
27052699
struct nft_set *set;
27062700
struct nft_ctx ctx;
@@ -2798,7 +2792,7 @@ static int nf_tables_newset(struct sock *nlsk, struct sk_buff *skb,
27982792
if (IS_ERR(table))
27992793
return PTR_ERR(table);
28002794

2801-
nft_ctx_init(&ctx, skb, nlh, afi, table, NULL, nla);
2795+
nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
28022796

28032797
set = nf_tables_set_lookup(table, nla[NFTA_SET_NAME]);
28042798
if (IS_ERR(set)) {
@@ -2882,8 +2876,8 @@ static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set
28822876
nft_set_destroy(set);
28832877
}
28842878

2885-
static int nf_tables_delset(struct sock *nlsk, struct sk_buff *skb,
2886-
const struct nlmsghdr *nlh,
2879+
static int nf_tables_delset(struct net *net, struct sock *nlsk,
2880+
struct sk_buff *skb, const struct nlmsghdr *nlh,
28872881
const struct nlattr * const nla[])
28882882
{
28892883
const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
@@ -2896,7 +2890,7 @@ static int nf_tables_delset(struct sock *nlsk, struct sk_buff *skb,
28962890
if (nla[NFTA_SET_TABLE] == NULL)
28972891
return -EINVAL;
28982892

2899-
err = nft_ctx_init_from_setattr(&ctx, skb, nlh, nla);
2893+
err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla);
29002894
if (err < 0)
29012895
return err;
29022896

@@ -3024,7 +3018,7 @@ static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX +
30243018
[NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
30253019
};
30263020

3027-
static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx,
3021+
static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
30283022
const struct sk_buff *skb,
30293023
const struct nlmsghdr *nlh,
30303024
const struct nlattr * const nla[],
@@ -3033,7 +3027,6 @@ static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx,
30333027
const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
30343028
struct nft_af_info *afi;
30353029
struct nft_table *table;
3036-
struct net *net = sock_net(skb->sk);
30373030

30383031
afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
30393032
if (IS_ERR(afi))
@@ -3045,7 +3038,7 @@ static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx,
30453038
if (!trans && (table->flags & NFT_TABLE_INACTIVE))
30463039
return -ENOENT;
30473040

3048-
nft_ctx_init(ctx, skb, nlh, afi, table, NULL, nla);
3041+
nft_ctx_init(ctx, net, skb, nlh, afi, table, NULL, nla);
30493042
return 0;
30503043
}
30513044

@@ -3135,6 +3128,7 @@ static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
31353128

31363129
static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
31373130
{
3131+
struct net *net = sock_net(skb->sk);
31383132
const struct nft_set *set;
31393133
struct nft_set_dump_args args;
31403134
struct nft_ctx ctx;
@@ -3150,8 +3144,8 @@ static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
31503144
if (err < 0)
31513145
return err;
31523146

3153-
err = nft_ctx_init_from_elemattr(&ctx, cb->skb, cb->nlh, (void *)nla,
3154-
false);
3147+
err = nft_ctx_init_from_elemattr(&ctx, net, cb->skb, cb->nlh,
3148+
(void *)nla, false);
31553149
if (err < 0)
31563150
return err;
31573151

@@ -3212,11 +3206,12 @@ static int nf_tables_getsetelem(struct sock *nlsk, struct sk_buff *skb,
32123206
const struct nlmsghdr *nlh,
32133207
const struct nlattr * const nla[])
32143208
{
3209+
struct net *net = sock_net(skb->sk);
32153210
const struct nft_set *set;
32163211
struct nft_ctx ctx;
32173212
int err;
32183213

3219-
err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla, false);
3214+
err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, false);
32203215
if (err < 0)
32213216
return err;
32223217

@@ -3528,11 +3523,10 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
35283523
return err;
35293524
}
35303525

3531-
static int nf_tables_newsetelem(struct sock *nlsk, struct sk_buff *skb,
3532-
const struct nlmsghdr *nlh,
3526+
static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
3527+
struct sk_buff *skb, const struct nlmsghdr *nlh,
35333528
const struct nlattr * const nla[])
35343529
{
3535-
struct net *net = sock_net(skb->sk);
35363530
const struct nlattr *attr;
35373531
struct nft_set *set;
35383532
struct nft_ctx ctx;
@@ -3541,7 +3535,7 @@ static int nf_tables_newsetelem(struct sock *nlsk, struct sk_buff *skb,
35413535
if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
35423536
return -EINVAL;
35433537

3544-
err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla, true);
3538+
err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, true);
35453539
if (err < 0)
35463540
return err;
35473541

@@ -3623,8 +3617,8 @@ static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
36233617
return err;
36243618
}
36253619

3626-
static int nf_tables_delsetelem(struct sock *nlsk, struct sk_buff *skb,
3627-
const struct nlmsghdr *nlh,
3620+
static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
3621+
struct sk_buff *skb, const struct nlmsghdr *nlh,
36283622
const struct nlattr * const nla[])
36293623
{
36303624
const struct nlattr *attr;
@@ -3635,7 +3629,7 @@ static int nf_tables_delsetelem(struct sock *nlsk, struct sk_buff *skb,
36353629
if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
36363630
return -EINVAL;
36373631

3638-
err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla, false);
3632+
err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, false);
36393633
if (err < 0)
36403634
return err;
36413635

net/netfilter/nfnetlink.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -381,7 +381,7 @@ static void nfnetlink_rcv_batch(struct sk_buff *skb, struct nlmsghdr *nlh,
381381
goto ack;
382382

383383
if (nc->call_batch) {
384-
err = nc->call_batch(net->nfnl, skb, nlh,
384+
err = nc->call_batch(net, net->nfnl, skb, nlh,
385385
(const struct nlattr **)cda);
386386
}
387387

0 commit comments

Comments
 (0)