netfilter: nf_tables: make counter support built-in

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Make counter support built-in to allow for direct call in case of
CONFIG_RETPOLINE.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Pablo Neira Ayuso 4 years ago 023223df 690d5417

+27 -51

5 changed files

expand all

include

net

netfilter

nf_tables_core.h

net

netfilter

Kconfig

Makefile

nf_tables_core.c

nft_counter.c

include/net/netfilter/nf_tables_core.h

··· 7 7 8 8 extern struct nft_expr_type nft_imm_type; 9 9 extern struct nft_expr_type nft_cmp_type; 10 + extern struct nft_expr_type nft_counter_type; 10 11 extern struct nft_expr_type nft_lookup_type; 11 12 extern struct nft_expr_type nft_bitwise_type; 12 13 extern struct nft_expr_type nft_byteorder_type; ··· 22 21 #ifdef CONFIG_NETWORK_SECMARK 23 22 extern struct nft_object_type nft_secmark_obj_type; 24 23 #endif 24 + extern struct nft_object_type nft_counter_obj_type; 25 25 26 26 int nf_tables_core_module_init(void); 27 27 void nf_tables_core_module_exit(void); ··· 122 120 bool nft_pipapo_avx2_lookup(const struct net *net, const struct nft_set *set, 123 121 const u32 *key, const struct nft_set_ext **ext); 124 122 123 + void nft_counter_init_seqcount(void); 124 + 125 125 struct nft_expr; 126 126 struct nft_regs; 127 127 struct nft_pktinfo; ··· 147 143 struct nft_regs *regs, const struct nft_pktinfo *pkt); 148 144 void nft_rt_get_eval(const struct nft_expr *expr, 149 145 struct nft_regs *regs, const struct nft_pktinfo *pkt); 146 + void nft_counter_eval(const struct nft_expr *expr, struct nft_regs *regs, 147 + const struct nft_pktinfo *pkt); 150 148 #endif /* _NET_NF_TABLES_CORE_H */

-6

net/netfilter/Kconfig

··· 515 515 This option adds the "flow_offload" expression that you can use to 516 516 choose what flows are placed into the hardware. 517 517 518 - config NFT_COUNTER 519 - tristate "Netfilter nf_tables counter module" 520 - help 521 - This option adds the "counter" expression that you can use to 522 - include packet and byte counters in a rule. 523 - 524 518 config NFT_CONNLIMIT 525 519 tristate "Netfilter nf_tables connlimit module" 526 520 depends on NF_CONNTRACK

+1 -2

net/netfilter/Makefile

··· 75 75 nf_tables_trace.o nft_immediate.o nft_cmp.o nft_range.o \ 76 76 nft_bitwise.o nft_byteorder.o nft_payload.o nft_lookup.o \ 77 77 nft_dynset.o nft_meta.o nft_rt.o nft_exthdr.o nft_last.o \ 78 - nft_chain_route.o nf_tables_offload.o \ 78 + nft_counter.o nft_chain_route.o nf_tables_offload.o \ 79 79 nft_set_hash.o nft_set_bitmap.o nft_set_rbtree.o \ 80 80 nft_set_pipapo.o 81 81 ··· 100 100 obj-$(CONFIG_NFT_REJECT_INET) += nft_reject_inet.o 101 101 obj-$(CONFIG_NFT_REJECT_NETDEV) += nft_reject_netdev.o 102 102 obj-$(CONFIG_NFT_TUNNEL) += nft_tunnel.o 103 - obj-$(CONFIG_NFT_COUNTER) += nft_counter.o 104 103 obj-$(CONFIG_NFT_LOG) += nft_log.o 105 104 obj-$(CONFIG_NFT_MASQ) += nft_masq.o 106 105 obj-$(CONFIG_NFT_REDIR) += nft_redir.o

net/netfilter/nf_tables_core.c

··· 169 169 170 170 X(e, nft_payload_eval); 171 171 X(e, nft_cmp_eval); 172 + X(e, nft_counter_eval); 172 173 X(e, nft_meta_get_eval); 173 174 X(e, nft_lookup_eval); 174 175 X(e, nft_range_eval); ··· 293 292 &nft_rt_type, 294 293 &nft_exthdr_type, 295 294 &nft_last_type, 295 + &nft_counter_type, 296 296 }; 297 297 298 298 static struct nft_object_type *nft_basic_objects[] = { 299 299 #ifdef CONFIG_NETWORK_SECMARK 300 300 &nft_secmark_obj_type, 301 301 #endif 302 + &nft_counter_obj_type, 302 303 }; 303 304 304 305 int __init nf_tables_core_module_init(void) 305 306 { 306 307 int err, i, j = 0; 308 + 309 + nft_counter_init_seqcount(); 307 310 308 311 for (i = 0; i < ARRAY_SIZE(nft_basic_objects); i++) { 309 312 err = nft_register_obj(nft_basic_objects[i]);

+15 -43

net/netfilter/nft_counter.c

··· 13 13 #include <linux/netfilter.h> 14 14 #include <linux/netfilter/nf_tables.h> 15 15 #include <net/netfilter/nf_tables.h> 16 + #include <net/netfilter/nf_tables_core.h> 16 17 #include <net/netfilter/nf_tables_offload.h> 17 18 18 19 struct nft_counter { ··· 175 174 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 }, 176 175 }; 177 176 178 - static struct nft_object_type nft_counter_obj_type; 177 + struct nft_object_type nft_counter_obj_type; 179 178 static const struct nft_object_ops nft_counter_obj_ops = { 180 179 .type = &nft_counter_obj_type, 181 180 .size = sizeof(struct nft_counter_percpu_priv), ··· 185 184 .dump = nft_counter_obj_dump, 186 185 }; 187 186 188 - static struct nft_object_type nft_counter_obj_type __read_mostly = { 187 + struct nft_object_type nft_counter_obj_type __read_mostly = { 189 188 .type = NFT_OBJECT_COUNTER, 190 189 .ops = &nft_counter_obj_ops, 191 190 .maxattr = NFTA_COUNTER_MAX, ··· 193 192 .owner = THIS_MODULE, 194 193 }; 195 194 196 - static void nft_counter_eval(const struct nft_expr *expr, 197 - struct nft_regs *regs, 198 - const struct nft_pktinfo *pkt) 195 + void nft_counter_eval(const struct nft_expr *expr, struct nft_regs *regs, 196 + const struct nft_pktinfo *pkt) 199 197 { 200 198 struct nft_counter_percpu_priv *priv = nft_expr_priv(expr); 201 199 ··· 275 275 preempt_enable(); 276 276 } 277 277 278 - static struct nft_expr_type nft_counter_type; 278 + void nft_counter_init_seqcount(void) 279 + { 280 + int cpu; 281 + 282 + for_each_possible_cpu(cpu) 283 + seqcount_init(per_cpu_ptr(&nft_counter_seq, cpu)); 284 + } 285 + 286 + struct nft_expr_type nft_counter_type; 279 287 static const struct nft_expr_ops nft_counter_ops = { 280 288 .type = &nft_counter_type, 281 289 .size = NFT_EXPR_SIZE(sizeof(struct nft_counter_percpu_priv)), ··· 297 289 .offload_stats = nft_counter_offload_stats, 298 290 }; 299 291 300 - static struct nft_expr_type nft_counter_type __read_mostly = { 292 + struct nft_expr_type nft_counter_type __read_mostly = { 301 293 .name = "counter", 302 294 .ops = &nft_counter_ops, 303 295 .policy = nft_counter_policy, ··· 305 297 .flags = NFT_EXPR_STATEFUL, 306 298 .owner = THIS_MODULE, 307 299 }; 308 - 309 - static int __init nft_counter_module_init(void) 310 - { 311 - int cpu, err; 312 - 313 - for_each_possible_cpu(cpu) 314 - seqcount_init(per_cpu_ptr(&nft_counter_seq, cpu)); 315 - 316 - err = nft_register_obj(&nft_counter_obj_type); 317 - if (err < 0) 318 - return err; 319 - 320 - err = nft_register_expr(&nft_counter_type); 321 - if (err < 0) 322 - goto err1; 323 - 324 - return 0; 325 - err1: 326 - nft_unregister_obj(&nft_counter_obj_type); 327 - return err; 328 - } 329 - 330 - static void __exit nft_counter_module_exit(void) 331 - { 332 - nft_unregister_expr(&nft_counter_type); 333 - nft_unregister_obj(&nft_counter_obj_type); 334 - } 335 - 336 - module_init(nft_counter_module_init); 337 - module_exit(nft_counter_module_exit); 338 - 339 - MODULE_LICENSE("GPL"); 340 - MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>"); 341 - MODULE_ALIAS_NFT_EXPR("counter"); 342 - MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_COUNTER); 343 - MODULE_DESCRIPTION("nftables counter rule support");