Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 98a38395 authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso Committed by Sasha Levin
Browse files

netfilter: nft_compat: skip family comparison in case of NFPROTO_UNSPEC 



[ Upstream commit ba378ca9c04a5fc1b2cf0f0274a9d02eb3d1bad9 ]

Fix lookup of existing match/target structures in the corresponding list
by skipping the family check if NFPROTO_UNSPEC is used.

This is resulting in the allocation and insertion of one match/target
structure for each use of them. So this not only bloats memory
consumption but also severely affects the time to reload the ruleset
from the iptables-compat utility.

After this patch, iptables-compat-restore and iptables-compat take
almost the same time to reload large rulesets.

Fixes: 0ca743a5 ("netfilter: nf_tables: add compatibility layer for x_tables")
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
parent 8dafc993

net/netfilter/nft_compat.c

+26 −6
Original line number Diff line number Diff line
@@ -561,6 +561,13 @@ struct nft_xt { 


static struct nft_expr_type nft_match_type;



static bool nft_match_cmp(const struct xt_match *match,

			  const char *name, u32 rev, u32 family)

{

	return strcmp(match->name, name) == 0 && match->revision == rev &&

	       (match->family == NFPROTO_UNSPEC || match->family == family);

}



static const struct nft_expr_ops *

nft_match_select_ops(const struct nft_ctx *ctx,

		     const struct nlattr * const tb[])
@@ -568,7 +575,7 @@ nft_match_select_ops(const struct nft_ctx *ctx, 
	struct nft_xt *nft_match;

	struct xt_match *match;

	char *mt_name;

	__u32 rev, family;

	u32 rev, family;



	if (tb[NFTA_MATCH_NAME] == NULL ||

	    tb[NFTA_MATCH_REV] == NULL ||
@@ -583,10 +590,13 @@ nft_match_select_ops(const struct nft_ctx *ctx, 
	list_for_each_entry(nft_match, &nft_match_list, head) {

		struct xt_match *match = nft_match->ops.data;



		if (strcmp(match->name, mt_name) == 0 &&

		    match->revision == rev && match->family == family)

		if (nft_match_cmp(match, mt_name, rev, family)) {

			if (!try_module_get(match->me))

				return ERR_PTR(-ENOENT);



			return &nft_match->ops;

		}

	}



	match = xt_request_find_match(family, mt_name, rev);

	if (IS_ERR(match))
@@ -631,6 +641,13 @@ static LIST_HEAD(nft_target_list); 


static struct nft_expr_type nft_target_type;



static bool nft_target_cmp(const struct xt_target *tg,

			   const char *name, u32 rev, u32 family)

{

	return strcmp(tg->name, name) == 0 && tg->revision == rev &&

	       (tg->family == NFPROTO_UNSPEC || tg->family == family);

}



static const struct nft_expr_ops *

nft_target_select_ops(const struct nft_ctx *ctx,

		      const struct nlattr * const tb[])
@@ -638,7 +655,7 @@ nft_target_select_ops(const struct nft_ctx *ctx, 
	struct nft_xt *nft_target;

	struct xt_target *target;

	char *tg_name;

	__u32 rev, family;

	u32 rev, family;



	if (tb[NFTA_TARGET_NAME] == NULL ||

	    tb[NFTA_TARGET_REV] == NULL ||
@@ -653,10 +670,13 @@ nft_target_select_ops(const struct nft_ctx *ctx, 
	list_for_each_entry(nft_target, &nft_target_list, head) {

		struct xt_target *target = nft_target->ops.data;



		if (strcmp(target->name, tg_name) == 0 &&

		    target->revision == rev && target->family == family)

		if (nft_target_cmp(target, tg_name, rev, family)) {

			if (!try_module_get(target->me))

				return ERR_PTR(-ENOENT);



			return &nft_target->ops;

		}

	}



	target = xt_request_find_target(family, tg_name, rev);

	if (IS_ERR(target))