netfilter: add and use jump label for xt_tee

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Don't bother testing if we need to switch to alternate stack
unless TEE target is used.

Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

authored by

Florian Westphal and committed by

Pablo Neira Ayuso 10 years ago dcebd315 7814b6ec

+16 -2

5 changed files

expand all

include

linux

netfilter

x_tables.h

net

ipv4

netfilter

ip_tables.c

ipv6

netfilter

ip6_tables.c

netfilter

x_tables.c

xt_TEE.c

include/linux/netfilter/x_tables.h

··· 3 3 4 4 5 5 #include <linux/netdevice.h> 6 + #include <linux/static_key.h> 6 7 #include <uapi/linux/netfilter/x_tables.h> 7 8 8 9 /** ··· 280 279 * Low order bit set to 1 if a writer is active. 281 280 */ 282 281 DECLARE_PER_CPU(seqcount_t, xt_recseq); 282 + 283 + /* xt_tee_enabled - true if x_tables needs to handle reentrancy 284 + * 285 + * Enabled if current ip(6)tables ruleset has at least one -j TEE rule. 286 + */ 287 + extern struct static_key xt_tee_enabled; 283 288 284 289 /** 285 290 * xt_write_recseq_begin - start of a write section

+2 -1

net/ipv4/netfilter/ip_tables.c

··· 340 340 * For recursion via REJECT or SYNPROXY the stack will be clobbered 341 341 * but it is no problem since absolute verdict is issued by these. 342 342 */ 343 - jumpstack += private->stacksize * __this_cpu_read(nf_skb_duplicated); 343 + if (static_key_false(&xt_tee_enabled)) 344 + jumpstack += private->stacksize * __this_cpu_read(nf_skb_duplicated); 344 345 345 346 e = get_entry(table_base, private->hook_entry[hook]); 346 347

+2 -1

net/ipv6/netfilter/ip6_tables.c

··· 366 366 * For recursion via REJECT or SYNPROXY the stack will be clobbered 367 367 * but it is no problem since absolute verdict is issued by these. 368 368 */ 369 - jumpstack += private->stacksize * __this_cpu_read(nf_skb_duplicated); 369 + if (static_key_false(&xt_tee_enabled)) 370 + jumpstack += private->stacksize * __this_cpu_read(nf_skb_duplicated); 370 371 371 372 e = get_entry(table_base, private->hook_entry[hook]); 372 373

net/netfilter/x_tables.c

··· 727 727 DEFINE_PER_CPU(seqcount_t, xt_recseq); 728 728 EXPORT_PER_CPU_SYMBOL_GPL(xt_recseq); 729 729 730 + struct static_key xt_tee_enabled __read_mostly; 731 + EXPORT_SYMBOL_GPL(xt_tee_enabled); 732 + 730 733 static int xt_jumpstack_alloc(struct xt_table_info *i) 731 734 { 732 735 unsigned int size;

net/netfilter/xt_TEE.c

··· 251 251 } else 252 252 info->priv = NULL; 253 253 254 + static_key_slow_inc(&xt_tee_enabled); 254 255 return 0; 255 256 } 256 257 ··· 263 262 unregister_netdevice_notifier(&info->priv->notifier); 264 263 kfree(info->priv); 265 264 } 265 + static_key_slow_dec(&xt_tee_enabled); 266 266 } 267 267 268 268 static struct xt_target tee_tg_reg[] __read_mostly = {