tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

netfilter: nf_tables: make sets built-in

Placing nftables set support in an extra module is pointless:

1. nf_tables needs dynamic registeration interface for sake of one module
2. nft heavily relies on sets, e.g. even simple rule like
"nft ... tcp dport { 80, 443 }" will not work with _SETS=n.

IOW, either nftables isn't used or both nf_tables and nf_tables_set
modules are needed anyway.

With extra module:
307K net/netfilter/nf_tables.ko
79K net/netfilter/nf_tables_set.ko

text data bss dec filename
146416 3072 545 150033 nf_tables.ko
35496 1817 0 37313 nf_tables_set.ko

This patch:
373K net/netfilter/nf_tables.ko

178563 4049 545 183157 nf_tables.ko

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

authored by

Florian Westphal and committed by
Pablo Neira Ayuso e32a4dc6 925d8446

+15 -80
-6
include/net/netfilter/nf_tables.h
··· 397 397 }; 398 398 #define to_set_type(o) container_of(o, struct nft_set_type, ops) 399 399 400 - int nft_register_set(struct nft_set_type *type); 401 - void nft_unregister_set(struct nft_set_type *type); 402 - 403 400 /** 404 401 * struct nft_set - nf_tables set instance 405 402 * ··· 1249 1252 1250 1253 #define MODULE_ALIAS_NFT_EXPR(name) \ 1251 1254 MODULE_ALIAS("nft-expr-" name) 1252 - 1253 - #define MODULE_ALIAS_NFT_SET() \ 1254 - MODULE_ALIAS("nft-set") 1255 1255 1256 1256 #define MODULE_ALIAS_NFT_OBJ(type) \ 1257 1257 MODULE_ALIAS("nft-obj-" __stringify(type))
-8
net/netfilter/Kconfig
··· 455 455 To compile it as a module, choose M here. 456 456 457 457 if NF_TABLES 458 - 459 - config NF_TABLES_SET 460 - tristate "Netfilter nf_tables set infrastructure" 461 - help 462 - This option enables the nf_tables set infrastructure that allows to 463 - look up for elements in a set and to build one-way mappings between 464 - matchings and actions. 465 - 466 458 config NF_TABLES_INET 467 459 depends on IPV6 468 460 select NF_TABLES_IPV4
+3 -6
net/netfilter/Makefile
··· 78 78 nf_tables_trace.o nft_immediate.o nft_cmp.o nft_range.o \ 79 79 nft_bitwise.o nft_byteorder.o nft_payload.o nft_lookup.o \ 80 80 nft_dynset.o nft_meta.o nft_rt.o nft_exthdr.o \ 81 - nft_chain_route.o nf_tables_offload.o 82 - 83 - nf_tables_set-objs := nf_tables_set_core.o \ 84 - nft_set_hash.o nft_set_bitmap.o nft_set_rbtree.o \ 85 - nft_set_pipapo.o 81 + nft_chain_route.o nf_tables_offload.o \ 82 + nft_set_hash.o nft_set_bitmap.o nft_set_rbtree.o \ 83 + nft_set_pipapo.o 86 84 87 85 obj-$(CONFIG_NF_TABLES) += nf_tables.o 88 - obj-$(CONFIG_NF_TABLES_SET) += nf_tables_set.o 89 86 obj-$(CONFIG_NFT_COMPAT) += nft_compat.o 90 87 obj-$(CONFIG_NFT_CONNLIMIT) += nft_connlimit.o 91 88 obj-$(CONFIG_NFT_NUMGEN) += nft_numgen.o
+12 -29
net/netfilter/nf_tables_api.c
··· 3266 3266 /* 3267 3267 * Sets 3268 3268 */ 3269 - 3270 - static LIST_HEAD(nf_tables_set_types); 3271 - 3272 - int nft_register_set(struct nft_set_type *type) 3273 - { 3274 - nfnl_lock(NFNL_SUBSYS_NFTABLES); 3275 - list_add_tail_rcu(&type->list, &nf_tables_set_types); 3276 - nfnl_unlock(NFNL_SUBSYS_NFTABLES); 3277 - return 0; 3278 - } 3279 - EXPORT_SYMBOL_GPL(nft_register_set); 3280 - 3281 - void nft_unregister_set(struct nft_set_type *type) 3282 - { 3283 - nfnl_lock(NFNL_SUBSYS_NFTABLES); 3284 - list_del_rcu(&type->list); 3285 - nfnl_unlock(NFNL_SUBSYS_NFTABLES); 3286 - } 3287 - EXPORT_SYMBOL_GPL(nft_unregister_set); 3269 + static const struct nft_set_type *nft_set_types[] = { 3270 + &nft_set_hash_fast_type, 3271 + &nft_set_hash_type, 3272 + &nft_set_rhash_type, 3273 + &nft_set_bitmap_type, 3274 + &nft_set_rbtree_type, 3275 + &nft_set_pipapo_type, 3276 + }; 3288 3277 3289 3278 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \ 3290 3279 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \ ··· 3299 3310 struct nft_set_estimate est, best; 3300 3311 const struct nft_set_type *type; 3301 3312 u32 flags = 0; 3313 + int i; 3302 3314 3303 3315 lockdep_assert_held(&ctx->net->nft.commit_mutex); 3304 3316 lockdep_nfnl_nft_mutex_not_held(); 3305 - #ifdef CONFIG_MODULES 3306 - if (list_empty(&nf_tables_set_types)) { 3307 - if (nft_request_module(ctx->net, "nft-set") == -EAGAIN) 3308 - return ERR_PTR(-EAGAIN); 3309 - } 3310 - #endif 3317 + 3311 3318 if (nla[NFTA_SET_FLAGS] != NULL) 3312 3319 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS])); 3313 3320 ··· 3312 3327 best.lookup = ~0; 3313 3328 best.space = ~0; 3314 3329 3315 - list_for_each_entry(type, &nf_tables_set_types, list) { 3330 + for (i = 0; i < ARRAY_SIZE(nft_set_types); i++) { 3331 + type = nft_set_types[i]; 3316 3332 ops = &type->ops; 3317 3333 3318 3334 if (!nft_set_ops_candidate(type, flags)) ··· 4298 4312 .align = __alignof__(u32), 4299 4313 }, 4300 4314 }; 4301 - EXPORT_SYMBOL_GPL(nft_set_ext_types); 4302 4315 4303 4316 /* 4304 4317 * Set elements ··· 5350 5365 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true); 5351 5366 kfree(gcb); 5352 5367 } 5353 - EXPORT_SYMBOL_GPL(nft_set_gc_batch_release); 5354 5368 5355 5369 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set, 5356 5370 gfp_t gfp) ··· 5362 5378 gcb->head.set = set; 5363 5379 return gcb; 5364 5380 } 5365 - EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc); 5366 5381 5367 5382 /* 5368 5383 * Stateful objects
-31
net/netfilter/nf_tables_set_core.c
··· 1 - /* SPDX-License-Identifier: GPL-2.0 */ 2 - #include <linux/module.h> 3 - #include <net/netfilter/nf_tables_core.h> 4 - 5 - static int __init nf_tables_set_module_init(void) 6 - { 7 - nft_register_set(&nft_set_hash_fast_type); 8 - nft_register_set(&nft_set_hash_type); 9 - nft_register_set(&nft_set_rhash_type); 10 - nft_register_set(&nft_set_bitmap_type); 11 - nft_register_set(&nft_set_rbtree_type); 12 - nft_register_set(&nft_set_pipapo_type); 13 - 14 - return 0; 15 - } 16 - 17 - static void __exit nf_tables_set_module_exit(void) 18 - { 19 - nft_unregister_set(&nft_set_pipapo_type); 20 - nft_unregister_set(&nft_set_rbtree_type); 21 - nft_unregister_set(&nft_set_bitmap_type); 22 - nft_unregister_set(&nft_set_rhash_type); 23 - nft_unregister_set(&nft_set_hash_type); 24 - nft_unregister_set(&nft_set_hash_fast_type); 25 - } 26 - 27 - module_init(nf_tables_set_module_init); 28 - module_exit(nf_tables_set_module_exit); 29 - 30 - MODULE_LICENSE("GPL"); 31 - MODULE_ALIAS_NFT_SET();