diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2009-06-03 04:32:06 -0400 |
---|---|---|
committer | pablo <pablo@1984.(none)> | 2009-06-03 04:32:06 -0400 |
commit | e34d5c1a4f9919a81b4ea4591d7383245f35cb8e (patch) | |
tree | 0a19bfe3e162b2b8de9b9414dcc2bef0a07e7133 /net/netfilter | |
parent | 17e6e4eac070607a35464ea7e2c5eceac32e5eca (diff) |
netfilter: conntrack: replace notify chain by function pointer
This patch removes the notify chain infrastructure and replace it
by a simple function pointer. This issue has been mentioned in the
mailing list several times: the use of the notify chain adds
too much overhead for something that is only used by ctnetlink.
This patch also changes nfnetlink_send(). It seems that gfp_any()
returns GFP_KERNEL for user-context request, like those via
ctnetlink, inside the RCU read-side section which is not valid.
Using GFP_KERNEL is also evil since netlink may schedule(),
this leads to "scheduling while atomic" bug reports.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/netfilter')
-rw-r--r-- | net/netfilter/nf_conntrack_ecache.c | 83 | ||||
-rw-r--r-- | net/netfilter/nf_conntrack_netlink.c | 42 | ||||
-rw-r--r-- | net/netfilter/nfnetlink.c | 5 |
3 files changed, 90 insertions, 40 deletions
diff --git a/net/netfilter/nf_conntrack_ecache.c b/net/netfilter/nf_conntrack_ecache.c index dee4190209cc..5516b3e64b43 100644 --- a/net/netfilter/nf_conntrack_ecache.c +++ b/net/netfilter/nf_conntrack_ecache.c | |||
@@ -16,24 +16,32 @@ | |||
16 | #include <linux/stddef.h> | 16 | #include <linux/stddef.h> |
17 | #include <linux/err.h> | 17 | #include <linux/err.h> |
18 | #include <linux/percpu.h> | 18 | #include <linux/percpu.h> |
19 | #include <linux/notifier.h> | ||
20 | #include <linux/kernel.h> | 19 | #include <linux/kernel.h> |
21 | #include <linux/netdevice.h> | 20 | #include <linux/netdevice.h> |
22 | 21 | ||
23 | #include <net/netfilter/nf_conntrack.h> | 22 | #include <net/netfilter/nf_conntrack.h> |
24 | #include <net/netfilter/nf_conntrack_core.h> | 23 | #include <net/netfilter/nf_conntrack_core.h> |
25 | 24 | ||
26 | ATOMIC_NOTIFIER_HEAD(nf_conntrack_chain); | 25 | static DEFINE_MUTEX(nf_ct_ecache_mutex); |
27 | EXPORT_SYMBOL_GPL(nf_conntrack_chain); | ||
28 | 26 | ||
29 | ATOMIC_NOTIFIER_HEAD(nf_ct_expect_chain); | 27 | struct nf_ct_event_notifier *nf_conntrack_event_cb __read_mostly; |
30 | EXPORT_SYMBOL_GPL(nf_ct_expect_chain); | 28 | EXPORT_SYMBOL_GPL(nf_conntrack_event_cb); |
29 | |||
30 | struct nf_exp_event_notifier *nf_expect_event_cb __read_mostly; | ||
31 | EXPORT_SYMBOL_GPL(nf_expect_event_cb); | ||
31 | 32 | ||
32 | /* deliver cached events and clear cache entry - must be called with locally | 33 | /* deliver cached events and clear cache entry - must be called with locally |
33 | * disabled softirqs */ | 34 | * disabled softirqs */ |
34 | static inline void | 35 | static inline void |
35 | __nf_ct_deliver_cached_events(struct nf_conntrack_ecache *ecache) | 36 | __nf_ct_deliver_cached_events(struct nf_conntrack_ecache *ecache) |
36 | { | 37 | { |
38 | struct nf_ct_event_notifier *notify; | ||
39 | |||
40 | rcu_read_lock(); | ||
41 | notify = rcu_dereference(nf_conntrack_event_cb); | ||
42 | if (notify == NULL) | ||
43 | goto out_unlock; | ||
44 | |||
37 | if (nf_ct_is_confirmed(ecache->ct) && !nf_ct_is_dying(ecache->ct) | 45 | if (nf_ct_is_confirmed(ecache->ct) && !nf_ct_is_dying(ecache->ct) |
38 | && ecache->events) { | 46 | && ecache->events) { |
39 | struct nf_ct_event item = { | 47 | struct nf_ct_event item = { |
@@ -42,14 +50,15 @@ __nf_ct_deliver_cached_events(struct nf_conntrack_ecache *ecache) | |||
42 | .report = 0 | 50 | .report = 0 |
43 | }; | 51 | }; |
44 | 52 | ||
45 | atomic_notifier_call_chain(&nf_conntrack_chain, | 53 | notify->fcn(ecache->events, &item); |
46 | ecache->events, | ||
47 | &item); | ||
48 | } | 54 | } |
49 | 55 | ||
50 | ecache->events = 0; | 56 | ecache->events = 0; |
51 | nf_ct_put(ecache->ct); | 57 | nf_ct_put(ecache->ct); |
52 | ecache->ct = NULL; | 58 | ecache->ct = NULL; |
59 | |||
60 | out_unlock: | ||
61 | rcu_read_unlock(); | ||
53 | } | 62 | } |
54 | 63 | ||
55 | /* Deliver all cached events for a particular conntrack. This is called | 64 | /* Deliver all cached events for a particular conntrack. This is called |
@@ -111,26 +120,68 @@ void nf_conntrack_ecache_fini(struct net *net) | |||
111 | free_percpu(net->ct.ecache); | 120 | free_percpu(net->ct.ecache); |
112 | } | 121 | } |
113 | 122 | ||
114 | int nf_conntrack_register_notifier(struct notifier_block *nb) | 123 | int nf_conntrack_register_notifier(struct nf_ct_event_notifier *new) |
115 | { | 124 | { |
116 | return atomic_notifier_chain_register(&nf_conntrack_chain, nb); | 125 | int ret = 0; |
126 | struct nf_ct_event_notifier *notify; | ||
127 | |||
128 | mutex_lock(&nf_ct_ecache_mutex); | ||
129 | notify = rcu_dereference(nf_conntrack_event_cb); | ||
130 | if (notify != NULL) { | ||
131 | ret = -EBUSY; | ||
132 | goto out_unlock; | ||
133 | } | ||
134 | rcu_assign_pointer(nf_conntrack_event_cb, new); | ||
135 | mutex_unlock(&nf_ct_ecache_mutex); | ||
136 | return ret; | ||
137 | |||
138 | out_unlock: | ||
139 | mutex_unlock(&nf_ct_ecache_mutex); | ||
140 | return ret; | ||
117 | } | 141 | } |
118 | EXPORT_SYMBOL_GPL(nf_conntrack_register_notifier); | 142 | EXPORT_SYMBOL_GPL(nf_conntrack_register_notifier); |
119 | 143 | ||
120 | int nf_conntrack_unregister_notifier(struct notifier_block *nb) | 144 | void nf_conntrack_unregister_notifier(struct nf_ct_event_notifier *new) |
121 | { | 145 | { |
122 | return atomic_notifier_chain_unregister(&nf_conntrack_chain, nb); | 146 | struct nf_ct_event_notifier *notify; |
147 | |||
148 | mutex_lock(&nf_ct_ecache_mutex); | ||
149 | notify = rcu_dereference(nf_conntrack_event_cb); | ||
150 | BUG_ON(notify != new); | ||
151 | rcu_assign_pointer(nf_conntrack_event_cb, NULL); | ||
152 | mutex_unlock(&nf_ct_ecache_mutex); | ||
123 | } | 153 | } |
124 | EXPORT_SYMBOL_GPL(nf_conntrack_unregister_notifier); | 154 | EXPORT_SYMBOL_GPL(nf_conntrack_unregister_notifier); |
125 | 155 | ||
126 | int nf_ct_expect_register_notifier(struct notifier_block *nb) | 156 | int nf_ct_expect_register_notifier(struct nf_exp_event_notifier *new) |
127 | { | 157 | { |
128 | return atomic_notifier_chain_register(&nf_ct_expect_chain, nb); | 158 | int ret = 0; |
159 | struct nf_exp_event_notifier *notify; | ||
160 | |||
161 | mutex_lock(&nf_ct_ecache_mutex); | ||
162 | notify = rcu_dereference(nf_expect_event_cb); | ||
163 | if (notify != NULL) { | ||
164 | ret = -EBUSY; | ||
165 | goto out_unlock; | ||
166 | } | ||
167 | rcu_assign_pointer(nf_expect_event_cb, new); | ||
168 | mutex_unlock(&nf_ct_ecache_mutex); | ||
169 | return ret; | ||
170 | |||
171 | out_unlock: | ||
172 | mutex_unlock(&nf_ct_ecache_mutex); | ||
173 | return ret; | ||
129 | } | 174 | } |
130 | EXPORT_SYMBOL_GPL(nf_ct_expect_register_notifier); | 175 | EXPORT_SYMBOL_GPL(nf_ct_expect_register_notifier); |
131 | 176 | ||
132 | int nf_ct_expect_unregister_notifier(struct notifier_block *nb) | 177 | void nf_ct_expect_unregister_notifier(struct nf_exp_event_notifier *new) |
133 | { | 178 | { |
134 | return atomic_notifier_chain_unregister(&nf_ct_expect_chain, nb); | 179 | struct nf_exp_event_notifier *notify; |
180 | |||
181 | mutex_lock(&nf_ct_ecache_mutex); | ||
182 | notify = rcu_dereference(nf_expect_event_cb); | ||
183 | BUG_ON(notify != new); | ||
184 | rcu_assign_pointer(nf_expect_event_cb, NULL); | ||
185 | mutex_unlock(&nf_ct_ecache_mutex); | ||
135 | } | 186 | } |
136 | EXPORT_SYMBOL_GPL(nf_ct_expect_unregister_notifier); | 187 | EXPORT_SYMBOL_GPL(nf_ct_expect_unregister_notifier); |
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index b1b9e4fb7ded..4448b062de0c 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c | |||
@@ -27,7 +27,6 @@ | |||
27 | #include <linux/netlink.h> | 27 | #include <linux/netlink.h> |
28 | #include <linux/spinlock.h> | 28 | #include <linux/spinlock.h> |
29 | #include <linux/interrupt.h> | 29 | #include <linux/interrupt.h> |
30 | #include <linux/notifier.h> | ||
31 | 30 | ||
32 | #include <linux/netfilter.h> | 31 | #include <linux/netfilter.h> |
33 | #include <net/netlink.h> | 32 | #include <net/netlink.h> |
@@ -454,13 +453,12 @@ ctnetlink_nlmsg_size(const struct nf_conn *ct) | |||
454 | ; | 453 | ; |
455 | } | 454 | } |
456 | 455 | ||
457 | static int ctnetlink_conntrack_event(struct notifier_block *this, | 456 | static int |
458 | unsigned long events, void *ptr) | 457 | ctnetlink_conntrack_event(unsigned int events, struct nf_ct_event *item) |
459 | { | 458 | { |
460 | struct nlmsghdr *nlh; | 459 | struct nlmsghdr *nlh; |
461 | struct nfgenmsg *nfmsg; | 460 | struct nfgenmsg *nfmsg; |
462 | struct nlattr *nest_parms; | 461 | struct nlattr *nest_parms; |
463 | struct nf_ct_event *item = (struct nf_ct_event *)ptr; | ||
464 | struct nf_conn *ct = item->ct; | 462 | struct nf_conn *ct = item->ct; |
465 | struct sk_buff *skb; | 463 | struct sk_buff *skb; |
466 | unsigned int type; | 464 | unsigned int type; |
@@ -468,7 +466,7 @@ static int ctnetlink_conntrack_event(struct notifier_block *this, | |||
468 | 466 | ||
469 | /* ignore our fake conntrack entry */ | 467 | /* ignore our fake conntrack entry */ |
470 | if (ct == &nf_conntrack_untracked) | 468 | if (ct == &nf_conntrack_untracked) |
471 | return NOTIFY_DONE; | 469 | return 0; |
472 | 470 | ||
473 | if (events & IPCT_DESTROY) { | 471 | if (events & IPCT_DESTROY) { |
474 | type = IPCTNL_MSG_CT_DELETE; | 472 | type = IPCTNL_MSG_CT_DELETE; |
@@ -481,10 +479,10 @@ static int ctnetlink_conntrack_event(struct notifier_block *this, | |||
481 | type = IPCTNL_MSG_CT_NEW; | 479 | type = IPCTNL_MSG_CT_NEW; |
482 | group = NFNLGRP_CONNTRACK_UPDATE; | 480 | group = NFNLGRP_CONNTRACK_UPDATE; |
483 | } else | 481 | } else |
484 | return NOTIFY_DONE; | 482 | return 0; |
485 | 483 | ||
486 | if (!item->report && !nfnetlink_has_listeners(group)) | 484 | if (!item->report && !nfnetlink_has_listeners(group)) |
487 | return NOTIFY_DONE; | 485 | return 0; |
488 | 486 | ||
489 | skb = nlmsg_new(ctnetlink_nlmsg_size(ct), GFP_ATOMIC); | 487 | skb = nlmsg_new(ctnetlink_nlmsg_size(ct), GFP_ATOMIC); |
490 | if (skb == NULL) | 488 | if (skb == NULL) |
@@ -560,8 +558,8 @@ static int ctnetlink_conntrack_event(struct notifier_block *this, | |||
560 | rcu_read_unlock(); | 558 | rcu_read_unlock(); |
561 | 559 | ||
562 | nlmsg_end(skb, nlh); | 560 | nlmsg_end(skb, nlh); |
563 | nfnetlink_send(skb, item->pid, group, item->report); | 561 | nfnetlink_send(skb, item->pid, group, item->report, GFP_ATOMIC); |
564 | return NOTIFY_DONE; | 562 | return 0; |
565 | 563 | ||
566 | nla_put_failure: | 564 | nla_put_failure: |
567 | rcu_read_unlock(); | 565 | rcu_read_unlock(); |
@@ -570,7 +568,7 @@ nlmsg_failure: | |||
570 | kfree_skb(skb); | 568 | kfree_skb(skb); |
571 | errout: | 569 | errout: |
572 | nfnetlink_set_err(0, group, -ENOBUFS); | 570 | nfnetlink_set_err(0, group, -ENOBUFS); |
573 | return NOTIFY_DONE; | 571 | return 0; |
574 | } | 572 | } |
575 | #endif /* CONFIG_NF_CONNTRACK_EVENTS */ | 573 | #endif /* CONFIG_NF_CONNTRACK_EVENTS */ |
576 | 574 | ||
@@ -1507,12 +1505,11 @@ nla_put_failure: | |||
1507 | } | 1505 | } |
1508 | 1506 | ||
1509 | #ifdef CONFIG_NF_CONNTRACK_EVENTS | 1507 | #ifdef CONFIG_NF_CONNTRACK_EVENTS |
1510 | static int ctnetlink_expect_event(struct notifier_block *this, | 1508 | static int |
1511 | unsigned long events, void *ptr) | 1509 | ctnetlink_expect_event(unsigned int events, struct nf_exp_event *item) |
1512 | { | 1510 | { |
1513 | struct nlmsghdr *nlh; | 1511 | struct nlmsghdr *nlh; |
1514 | struct nfgenmsg *nfmsg; | 1512 | struct nfgenmsg *nfmsg; |
1515 | struct nf_exp_event *item = (struct nf_exp_event *)ptr; | ||
1516 | struct nf_conntrack_expect *exp = item->exp; | 1513 | struct nf_conntrack_expect *exp = item->exp; |
1517 | struct sk_buff *skb; | 1514 | struct sk_buff *skb; |
1518 | unsigned int type; | 1515 | unsigned int type; |
@@ -1522,11 +1519,11 @@ static int ctnetlink_expect_event(struct notifier_block *this, | |||
1522 | type = IPCTNL_MSG_EXP_NEW; | 1519 | type = IPCTNL_MSG_EXP_NEW; |
1523 | flags = NLM_F_CREATE|NLM_F_EXCL; | 1520 | flags = NLM_F_CREATE|NLM_F_EXCL; |
1524 | } else | 1521 | } else |
1525 | return NOTIFY_DONE; | 1522 | return 0; |
1526 | 1523 | ||
1527 | if (!item->report && | 1524 | if (!item->report && |
1528 | !nfnetlink_has_listeners(NFNLGRP_CONNTRACK_EXP_NEW)) | 1525 | !nfnetlink_has_listeners(NFNLGRP_CONNTRACK_EXP_NEW)) |
1529 | return NOTIFY_DONE; | 1526 | return 0; |
1530 | 1527 | ||
1531 | skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC); | 1528 | skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC); |
1532 | if (skb == NULL) | 1529 | if (skb == NULL) |
@@ -1548,8 +1545,9 @@ static int ctnetlink_expect_event(struct notifier_block *this, | |||
1548 | rcu_read_unlock(); | 1545 | rcu_read_unlock(); |
1549 | 1546 | ||
1550 | nlmsg_end(skb, nlh); | 1547 | nlmsg_end(skb, nlh); |
1551 | nfnetlink_send(skb, item->pid, NFNLGRP_CONNTRACK_EXP_NEW, item->report); | 1548 | nfnetlink_send(skb, item->pid, NFNLGRP_CONNTRACK_EXP_NEW, |
1552 | return NOTIFY_DONE; | 1549 | item->report, GFP_ATOMIC); |
1550 | return 0; | ||
1553 | 1551 | ||
1554 | nla_put_failure: | 1552 | nla_put_failure: |
1555 | rcu_read_unlock(); | 1553 | rcu_read_unlock(); |
@@ -1558,7 +1556,7 @@ nlmsg_failure: | |||
1558 | kfree_skb(skb); | 1556 | kfree_skb(skb); |
1559 | errout: | 1557 | errout: |
1560 | nfnetlink_set_err(0, 0, -ENOBUFS); | 1558 | nfnetlink_set_err(0, 0, -ENOBUFS); |
1561 | return NOTIFY_DONE; | 1559 | return 0; |
1562 | } | 1560 | } |
1563 | #endif | 1561 | #endif |
1564 | static int ctnetlink_exp_done(struct netlink_callback *cb) | 1562 | static int ctnetlink_exp_done(struct netlink_callback *cb) |
@@ -1864,12 +1862,12 @@ ctnetlink_new_expect(struct sock *ctnl, struct sk_buff *skb, | |||
1864 | } | 1862 | } |
1865 | 1863 | ||
1866 | #ifdef CONFIG_NF_CONNTRACK_EVENTS | 1864 | #ifdef CONFIG_NF_CONNTRACK_EVENTS |
1867 | static struct notifier_block ctnl_notifier = { | 1865 | static struct nf_ct_event_notifier ctnl_notifier = { |
1868 | .notifier_call = ctnetlink_conntrack_event, | 1866 | .fcn = ctnetlink_conntrack_event, |
1869 | }; | 1867 | }; |
1870 | 1868 | ||
1871 | static struct notifier_block ctnl_notifier_exp = { | 1869 | static struct nf_exp_event_notifier ctnl_notifier_exp = { |
1872 | .notifier_call = ctnetlink_expect_event, | 1870 | .fcn = ctnetlink_expect_event, |
1873 | }; | 1871 | }; |
1874 | #endif | 1872 | #endif |
1875 | 1873 | ||
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c index 9dbd5709aad7..92761a988375 100644 --- a/net/netfilter/nfnetlink.c +++ b/net/netfilter/nfnetlink.c | |||
@@ -107,9 +107,10 @@ int nfnetlink_has_listeners(unsigned int group) | |||
107 | } | 107 | } |
108 | EXPORT_SYMBOL_GPL(nfnetlink_has_listeners); | 108 | EXPORT_SYMBOL_GPL(nfnetlink_has_listeners); |
109 | 109 | ||
110 | int nfnetlink_send(struct sk_buff *skb, u32 pid, unsigned group, int echo) | 110 | int nfnetlink_send(struct sk_buff *skb, u32 pid, |
111 | unsigned group, int echo, gfp_t flags) | ||
111 | { | 112 | { |
112 | return nlmsg_notify(nfnl, skb, pid, group, echo, gfp_any()); | 113 | return nlmsg_notify(nfnl, skb, pid, group, echo, flags); |
113 | } | 114 | } |
114 | EXPORT_SYMBOL_GPL(nfnetlink_send); | 115 | EXPORT_SYMBOL_GPL(nfnetlink_send); |
115 | 116 | ||