]> git.baikalelectronics.ru Git - kernel.git/commitdiff
netfilter: nft_bitwise: track register operations
authorPablo Neira Ayuso <pablo@netfilter.org>
Sun, 9 Jan 2022 16:11:24 +0000 (17:11 +0100)
committerPablo Neira Ayuso <pablo@netfilter.org>
Sun, 9 Jan 2022 22:35:17 +0000 (23:35 +0100)
Check if the destination register already contains the data that this
bitwise expression performs. This allows to skip this redundant
operation.

If the destination contains a different bitwise operation, cancel the
register tracking information. If the destination contains no bitwise
operation, update the register tracking information.

Update the payload and meta expression to check if this bitwise
operation has been already performed on the register. Hence, both the
payload/meta and the bitwise expressions are reduced.

There is also a special case: If source register != destination register
and source register is not updated by a previous bitwise operation, then
transfer selector from the source register to the destination register.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
include/net/netfilter/nf_tables.h
net/netfilter/nft_bitwise.c
net/netfilter/nft_meta.c
net/netfilter/nft_payload.c

index 1c37ce61daeaf45a9262e9ee3badb1eed04a0e7f..eaf55da9a20506950f70dd5ef8888ebd86b5261e 100644 (file)
@@ -358,6 +358,8 @@ int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src);
 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr);
 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
                  const struct nft_expr *expr);
+bool nft_expr_reduce_bitwise(struct nft_regs_track *track,
+                            const struct nft_expr *expr);
 
 struct nft_set_ext;
 
index 47b0dba95054f0877037a392503e89ced02201a8..7b727d3ebf9df6159f9b7565f21e0465a6cd20ee 100644 (file)
@@ -278,12 +278,52 @@ static int nft_bitwise_offload(struct nft_offload_ctx *ctx,
        return 0;
 }
 
+static bool nft_bitwise_reduce(struct nft_regs_track *track,
+                              const struct nft_expr *expr)
+{
+       const struct nft_bitwise *priv = nft_expr_priv(expr);
+       const struct nft_bitwise *bitwise;
+
+       if (!track->regs[priv->sreg].selector)
+               return false;
+
+       bitwise = nft_expr_priv(expr);
+       if (track->regs[priv->sreg].selector == track->regs[priv->dreg].selector &&
+           track->regs[priv->dreg].bitwise &&
+           track->regs[priv->dreg].bitwise->ops == expr->ops &&
+           priv->sreg == bitwise->sreg &&
+           priv->dreg == bitwise->dreg &&
+           priv->op == bitwise->op &&
+           priv->len == bitwise->len &&
+           !memcmp(&priv->mask, &bitwise->mask, sizeof(priv->mask)) &&
+           !memcmp(&priv->xor, &bitwise->xor, sizeof(priv->xor)) &&
+           !memcmp(&priv->data, &bitwise->data, sizeof(priv->data))) {
+               track->cur = expr;
+               return true;
+       }
+
+       if (track->regs[priv->sreg].bitwise) {
+               track->regs[priv->dreg].selector = NULL;
+               track->regs[priv->dreg].bitwise = NULL;
+               return false;
+       }
+
+       if (priv->sreg != priv->dreg) {
+               track->regs[priv->dreg].selector =
+                       track->regs[priv->sreg].selector;
+       }
+       track->regs[priv->dreg].bitwise = expr;
+
+       return false;
+}
+
 static const struct nft_expr_ops nft_bitwise_ops = {
        .type           = &nft_bitwise_type,
        .size           = NFT_EXPR_SIZE(sizeof(struct nft_bitwise)),
        .eval           = nft_bitwise_eval,
        .init           = nft_bitwise_init,
        .dump           = nft_bitwise_dump,
+       .reduce         = nft_bitwise_reduce,
        .offload        = nft_bitwise_offload,
 };
 
@@ -385,12 +425,49 @@ static int nft_bitwise_fast_offload(struct nft_offload_ctx *ctx,
        return 0;
 }
 
+static bool nft_bitwise_fast_reduce(struct nft_regs_track *track,
+                                   const struct nft_expr *expr)
+{
+       const struct nft_bitwise_fast_expr *priv = nft_expr_priv(expr);
+       const struct nft_bitwise_fast_expr *bitwise;
+
+       if (!track->regs[priv->sreg].selector)
+               return false;
+
+       bitwise = nft_expr_priv(expr);
+       if (track->regs[priv->sreg].selector == track->regs[priv->dreg].selector &&
+           track->regs[priv->dreg].bitwise &&
+           track->regs[priv->dreg].bitwise->ops == expr->ops &&
+           priv->sreg == bitwise->sreg &&
+           priv->dreg == bitwise->dreg &&
+           priv->mask == bitwise->mask &&
+           priv->xor == bitwise->xor) {
+               track->cur = expr;
+               return true;
+       }
+
+       if (track->regs[priv->sreg].bitwise) {
+               track->regs[priv->dreg].selector = NULL;
+               track->regs[priv->dreg].bitwise = NULL;
+               return false;
+       }
+
+       if (priv->sreg != priv->dreg) {
+               track->regs[priv->dreg].selector =
+                       track->regs[priv->sreg].selector;
+       }
+       track->regs[priv->dreg].bitwise = expr;
+
+       return false;
+}
+
 const struct nft_expr_ops nft_bitwise_fast_ops = {
        .type           = &nft_bitwise_type,
        .size           = NFT_EXPR_SIZE(sizeof(struct nft_bitwise_fast_expr)),
        .eval           = NULL, /* inlined */
        .init           = nft_bitwise_fast_init,
        .dump           = nft_bitwise_fast_dump,
+       .reduce         = nft_bitwise_fast_reduce,
        .offload        = nft_bitwise_fast_offload,
 };
 
@@ -427,3 +504,21 @@ struct nft_expr_type nft_bitwise_type __read_mostly = {
        .maxattr        = NFTA_BITWISE_MAX,
        .owner          = THIS_MODULE,
 };
+
+bool nft_expr_reduce_bitwise(struct nft_regs_track *track,
+                            const struct nft_expr *expr)
+{
+       const struct nft_expr *last = track->last;
+       const struct nft_expr *next;
+
+       if (expr == last)
+               return false;
+
+       next = nft_expr_next(expr);
+       if (next->ops == &nft_bitwise_ops)
+               return nft_bitwise_reduce(track, next);
+       else if (next->ops == &nft_bitwise_fast_ops)
+               return nft_bitwise_fast_reduce(track, next);
+
+       return false;
+}
index 430f40bc3cb4c21e8ea91866a9395e3fbbf39fd5..40fe48fcf9d06c90269f0fcf805cc0b8cef847dc 100644 (file)
@@ -774,7 +774,7 @@ static bool nft_meta_get_reduce(struct nft_regs_track *track,
        if (!track->regs[priv->dreg].bitwise)
                return true;
 
-       return false;
+       return nft_expr_reduce_bitwise(track, expr);
 }
 
 static const struct nft_expr_ops nft_meta_get_ops = {
index 7a7c66e9a50e4a6ab18289c1314f56e273729a44..f518bf6349976092b2f3bb909643e3d3adcacc89 100644 (file)
@@ -235,7 +235,7 @@ static bool nft_payload_reduce(struct nft_regs_track *track,
        if (!track->regs[priv->dreg].bitwise)
                return true;
 
-       return false;
+       return nft_expr_reduce_bitwise(track, expr);
 }
 
 static bool nft_payload_offload_mask(struct nft_offload_reg *reg,