]> git.proxmox.com Git - mirror_ubuntu-hirsute-kernel.git/blob - net/netfilter/nft_set_hash.c
projects / mirror_ubuntu-hirsute-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge tag 'v5.3-rc1' into patchwork
[mirror_ubuntu-hirsute-kernel.git] / net / netfilter / nft_set_hash.c
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Copyright (c) 2008-2014 Patrick McHardy <kaber@trash.net>
4 *
5 * Development of this code funded by Astaro AG (http://www.astaro.com/)
6 */
7
8 #include <linux/kernel.h>
9 #include <linux/init.h>
10 #include <linux/module.h>
11 #include <linux/list.h>
12 #include <linux/log2.h>
13 #include <linux/jhash.h>
14 #include <linux/netlink.h>
15 #include <linux/workqueue.h>
16 #include <linux/rhashtable.h>
17 #include <linux/netfilter.h>
18 #include <linux/netfilter/nf_tables.h>
19 #include <net/netfilter/nf_tables.h>
20
21 /* We target a hash table size of 4, element hint is 75% of final size */
22 #define NFT_RHASH_ELEMENT_HINT 3
23
24 struct nft_rhash {
25 struct rhashtable ht;
26 struct delayed_work gc_work;
27 };
28
29 struct nft_rhash_elem {
30 struct rhash_head node;
31 struct nft_set_ext ext;
32 };
33
34 struct nft_rhash_cmp_arg {
35 const struct nft_set *set;
36 const u32 *key;
37 u8 genmask;
38 };
39
40 static inline u32 nft_rhash_key(const void *data, u32 len, u32 seed)
41 {
42 const struct nft_rhash_cmp_arg *arg = data;
43
44 return jhash(arg->key, len, seed);
45 }
46
47 static inline u32 nft_rhash_obj(const void *data, u32 len, u32 seed)
48 {
49 const struct nft_rhash_elem *he = data;
50
51 return jhash(nft_set_ext_key(&he->ext), len, seed);
52 }
53
54 static inline int nft_rhash_cmp(struct rhashtable_compare_arg *arg,
55 const void *ptr)
56 {
57 const struct nft_rhash_cmp_arg *x = arg->key;
58 const struct nft_rhash_elem *he = ptr;
59
60 if (memcmp(nft_set_ext_key(&he->ext), x->key, x->set->klen))
61 return 1;
62 if (nft_set_elem_expired(&he->ext))
63 return 1;
64 if (!nft_set_elem_active(&he->ext, x->genmask))
65 return 1;
66 return 0;
67 }
68
69 static const struct rhashtable_params nft_rhash_params = {
70 .head_offset = offsetof(struct nft_rhash_elem, node),
71 .hashfn = nft_rhash_key,
72 .obj_hashfn = nft_rhash_obj,
73 .obj_cmpfn = nft_rhash_cmp,
74 .automatic_shrinking = true,
75 };
76
77 static bool nft_rhash_lookup(const struct net *net, const struct nft_set *set,
78 const u32 *key, const struct nft_set_ext **ext)
79 {
80 struct nft_rhash *priv = nft_set_priv(set);
81 const struct nft_rhash_elem *he;
82 struct nft_rhash_cmp_arg arg = {
83 .genmask = nft_genmask_cur(net),
84 .set = set,
85 .key = key,
86 };
87
88 he = rhashtable_lookup(&priv->ht, &arg, nft_rhash_params);
89 if (he != NULL)
90 *ext = &he->ext;
91
92 return !!he;
93 }
94
95 static void *nft_rhash_get(const struct net *net, const struct nft_set *set,
96 const struct nft_set_elem *elem, unsigned int flags)
97 {
98 struct nft_rhash *priv = nft_set_priv(set);
99 struct nft_rhash_elem *he;
100 struct nft_rhash_cmp_arg arg = {
101 .genmask = nft_genmask_cur(net),
102 .set = set,
103 .key = elem->key.val.data,
104 };
105
106 he = rhashtable_lookup(&priv->ht, &arg, nft_rhash_params);
107 if (he != NULL)
108 return he;
109
110 return ERR_PTR(-ENOENT);
111 }
112
113 static bool nft_rhash_update(struct nft_set *set, const u32 *key,
114 void *(*new)(struct nft_set *,
115 const struct nft_expr *,
116 struct nft_regs *regs),
117 const struct nft_expr *expr,
118 struct nft_regs *regs,
119 const struct nft_set_ext **ext)
120 {
121 struct nft_rhash *priv = nft_set_priv(set);
122 struct nft_rhash_elem *he, *prev;
123 struct nft_rhash_cmp_arg arg = {
124 .genmask = NFT_GENMASK_ANY,
125 .set = set,
126 .key = key,
127 };
128
129 he = rhashtable_lookup(&priv->ht, &arg, nft_rhash_params);
130 if (he != NULL)
131 goto out;
132
133 he = new(set, expr, regs);
134 if (he == NULL)
135 goto err1;
136
137 prev = rhashtable_lookup_get_insert_key(&priv->ht, &arg, &he->node,
138 nft_rhash_params);
139 if (IS_ERR(prev))
140 goto err2;
141
142 /* Another cpu may race to insert the element with the same key */
143 if (prev) {
144 nft_set_elem_destroy(set, he, true);
145 he = prev;
146 }
147
148 out:
149 *ext = &he->ext;
150 return true;
151
152 err2:
153 nft_set_elem_destroy(set, he, true);
154 err1:
155 return false;
156 }
157
158 static int nft_rhash_insert(const struct net *net, const struct nft_set *set,
159 const struct nft_set_elem *elem,
160 struct nft_set_ext **ext)
161 {
162 struct nft_rhash *priv = nft_set_priv(set);
163 struct nft_rhash_elem *he = elem->priv;
164 struct nft_rhash_cmp_arg arg = {
165 .genmask = nft_genmask_next(net),
166 .set = set,
167 .key = elem->key.val.data,
168 };
169 struct nft_rhash_elem *prev;
170
171 prev = rhashtable_lookup_get_insert_key(&priv->ht, &arg, &he->node,
172 nft_rhash_params);
173 if (IS_ERR(prev))
174 return PTR_ERR(prev);
175 if (prev) {
176 *ext = &prev->ext;
177 return -EEXIST;
178 }
179 return 0;
180 }
181
182 static void nft_rhash_activate(const struct net *net, const struct nft_set *set,
183 const struct nft_set_elem *elem)
184 {
185 struct nft_rhash_elem *he = elem->priv;
186
187 nft_set_elem_change_active(net, set, &he->ext);
188 nft_set_elem_clear_busy(&he->ext);
189 }
190
191 static bool nft_rhash_flush(const struct net *net,
192 const struct nft_set *set, void *priv)
193 {
194 struct nft_rhash_elem *he = priv;
195
196 if (!nft_set_elem_mark_busy(&he->ext) ||
197 !nft_is_active(net, &he->ext)) {
198 nft_set_elem_change_active(net, set, &he->ext);
199 return true;
200 }
201 return false;
202 }
203
204 static void *nft_rhash_deactivate(const struct net *net,
205 const struct nft_set *set,
206 const struct nft_set_elem *elem)
207 {
208 struct nft_rhash *priv = nft_set_priv(set);
209 struct nft_rhash_elem *he;
210 struct nft_rhash_cmp_arg arg = {
211 .genmask = nft_genmask_next(net),
212 .set = set,
213 .key = elem->key.val.data,
214 };
215
216 rcu_read_lock();
217 he = rhashtable_lookup(&priv->ht, &arg, nft_rhash_params);
218 if (he != NULL &&
219 !nft_rhash_flush(net, set, he))
220 he = NULL;
221
222 rcu_read_unlock();
223
224 return he;
225 }
226
227 static void nft_rhash_remove(const struct net *net,
228 const struct nft_set *set,
229 const struct nft_set_elem *elem)
230 {
231 struct nft_rhash *priv = nft_set_priv(set);
232 struct nft_rhash_elem *he = elem->priv;
233
234 rhashtable_remove_fast(&priv->ht, &he->node, nft_rhash_params);
235 }
236
237 static void nft_rhash_walk(const struct nft_ctx *ctx, struct nft_set *set,
238 struct nft_set_iter *iter)
239 {
240 struct nft_rhash *priv = nft_set_priv(set);
241 struct nft_rhash_elem *he;
242 struct rhashtable_iter hti;
243 struct nft_set_elem elem;
244
245 rhashtable_walk_enter(&priv->ht, &hti);
246 rhashtable_walk_start(&hti);
247
248 while ((he = rhashtable_walk_next(&hti))) {
249 if (IS_ERR(he)) {
250 if (PTR_ERR(he) != -EAGAIN) {
251 iter->err = PTR_ERR(he);
252 break;
253 }
254
255 continue;
256 }
257
258 if (iter->count < iter->skip)
259 goto cont;
260 if (nft_set_elem_expired(&he->ext))
261 goto cont;
262 if (!nft_set_elem_active(&he->ext, iter->genmask))
263 goto cont;
264
265 elem.priv = he;
266
267 iter->err = iter->fn(ctx, set, iter, &elem);
268 if (iter->err < 0)
269 break;
270
271 cont:
272 iter->count++;
273 }
274 rhashtable_walk_stop(&hti);
275 rhashtable_walk_exit(&hti);
276 }
277
278 static void nft_rhash_gc(struct work_struct *work)
279 {
280 struct nft_set *set;
281 struct nft_rhash_elem *he;
282 struct nft_rhash *priv;
283 struct nft_set_gc_batch *gcb = NULL;
284 struct rhashtable_iter hti;
285
286 priv = container_of(work, struct nft_rhash, gc_work.work);
287 set = nft_set_container_of(priv);
288
289 rhashtable_walk_enter(&priv->ht, &hti);
290 rhashtable_walk_start(&hti);
291
292 while ((he = rhashtable_walk_next(&hti))) {
293 if (IS_ERR(he)) {
294 if (PTR_ERR(he) != -EAGAIN)
295 break;
296 continue;
297 }
298
299 if (nft_set_ext_exists(&he->ext, NFT_SET_EXT_EXPR)) {
300 struct nft_expr *expr = nft_set_ext_expr(&he->ext);
301
302 if (expr->ops->gc &&
303 expr->ops->gc(read_pnet(&set->net), expr))
304 goto gc;
305 }
306 if (!nft_set_elem_expired(&he->ext))
307 continue;
308 gc:
309 if (nft_set_elem_mark_busy(&he->ext))
310 continue;
311
312 gcb = nft_set_gc_batch_check(set, gcb, GFP_ATOMIC);
313 if (gcb == NULL)
314 break;
315 rhashtable_remove_fast(&priv->ht, &he->node, nft_rhash_params);
316 atomic_dec(&set->nelems);
317 nft_set_gc_batch_add(gcb, he);
318 }
319 rhashtable_walk_stop(&hti);
320 rhashtable_walk_exit(&hti);
321
322 nft_set_gc_batch_complete(gcb);
323 queue_delayed_work(system_power_efficient_wq, &priv->gc_work,
324 nft_set_gc_interval(set));
325 }
326
327 static u64 nft_rhash_privsize(const struct nlattr * const nla[],
328 const struct nft_set_desc *desc)
329 {
330 return sizeof(struct nft_rhash);
331 }
332
333 static void nft_rhash_gc_init(const struct nft_set *set)
334 {
335 struct nft_rhash *priv = nft_set_priv(set);
336
337 queue_delayed_work(system_power_efficient_wq, &priv->gc_work,
338 nft_set_gc_interval(set));
339 }
340
341 static int nft_rhash_init(const struct nft_set *set,
342 const struct nft_set_desc *desc,
343 const struct nlattr * const tb[])
344 {
345 struct nft_rhash *priv = nft_set_priv(set);
346 struct rhashtable_params params = nft_rhash_params;
347 int err;
348
349 params.nelem_hint = desc->size ?: NFT_RHASH_ELEMENT_HINT;
350 params.key_len = set->klen;
351
352 err = rhashtable_init(&priv->ht, &params);
353 if (err < 0)
354 return err;
355
356 INIT_DEFERRABLE_WORK(&priv->gc_work, nft_rhash_gc);
357 if (set->flags & NFT_SET_TIMEOUT)
358 nft_rhash_gc_init(set);
359
360 return 0;
361 }
362
363 static void nft_rhash_elem_destroy(void *ptr, void *arg)
364 {
365 nft_set_elem_destroy(arg, ptr, true);
366 }
367
368 static void nft_rhash_destroy(const struct nft_set *set)
369 {
370 struct nft_rhash *priv = nft_set_priv(set);
371
372 cancel_delayed_work_sync(&priv->gc_work);
373 rcu_barrier();
374 rhashtable_free_and_destroy(&priv->ht, nft_rhash_elem_destroy,
375 (void *)set);
376 }
377
378 static u32 nft_hash_buckets(u32 size)
379 {
380 return roundup_pow_of_two(size * 4 / 3);
381 }
382
383 static bool nft_rhash_estimate(const struct nft_set_desc *desc, u32 features,
384 struct nft_set_estimate *est)
385 {
386 est->size = ~0;
387 est->lookup = NFT_SET_CLASS_O_1;
388 est->space = NFT_SET_CLASS_O_N;
389
390 return true;
391 }
392
393 struct nft_hash {
394 u32 seed;
395 u32 buckets;
396 struct hlist_head table[];
397 };
398
399 struct nft_hash_elem {
400 struct hlist_node node;
401 struct nft_set_ext ext;
402 };
403
404 static bool nft_hash_lookup(const struct net *net, const struct nft_set *set,
405 const u32 *key, const struct nft_set_ext **ext)
406 {
407 struct nft_hash *priv = nft_set_priv(set);
408 u8 genmask = nft_genmask_cur(net);
409 const struct nft_hash_elem *he;
410 u32 hash;
411
412 hash = jhash(key, set->klen, priv->seed);
413 hash = reciprocal_scale(hash, priv->buckets);
414 hlist_for_each_entry_rcu(he, &priv->table[hash], node) {
415 if (!memcmp(nft_set_ext_key(&he->ext), key, set->klen) &&
416 nft_set_elem_active(&he->ext, genmask)) {
417 *ext = &he->ext;
418 return true;
419 }
420 }
421 return false;
422 }
423
424 static void *nft_hash_get(const struct net *net, const struct nft_set *set,
425 const struct nft_set_elem *elem, unsigned int flags)
426 {
427 struct nft_hash *priv = nft_set_priv(set);
428 u8 genmask = nft_genmask_cur(net);
429 struct nft_hash_elem *he;
430 u32 hash;
431
432 hash = jhash(elem->key.val.data, set->klen, priv->seed);
433 hash = reciprocal_scale(hash, priv->buckets);
434 hlist_for_each_entry_rcu(he, &priv->table[hash], node) {
435 if (!memcmp(nft_set_ext_key(&he->ext), elem->key.val.data, set->klen) &&
436 nft_set_elem_active(&he->ext, genmask))
437 return he;
438 }
439 return ERR_PTR(-ENOENT);
440 }
441
442 static bool nft_hash_lookup_fast(const struct net *net,
443 const struct nft_set *set,
444 const u32 *key, const struct nft_set_ext **ext)
445 {
446 struct nft_hash *priv = nft_set_priv(set);
447 u8 genmask = nft_genmask_cur(net);
448 const struct nft_hash_elem *he;
449 u32 hash, k1, k2;
450
451 k1 = *key;
452 hash = jhash_1word(k1, priv->seed);
453 hash = reciprocal_scale(hash, priv->buckets);
454 hlist_for_each_entry_rcu(he, &priv->table[hash], node) {
455 k2 = *(u32 *)nft_set_ext_key(&he->ext)->data;
456 if (k1 == k2 &&
457 nft_set_elem_active(&he->ext, genmask)) {
458 *ext = &he->ext;
459 return true;
460 }
461 }
462 return false;
463 }
464
465 static u32 nft_jhash(const struct nft_set *set, const struct nft_hash *priv,
466 const struct nft_set_ext *ext)
467 {
468 const struct nft_data *key = nft_set_ext_key(ext);
469 u32 hash, k1;
470
471 if (set->klen == 4) {
472 k1 = *(u32 *)key;
473 hash = jhash_1word(k1, priv->seed);
474 } else {
475 hash = jhash(key, set->klen, priv->seed);
476 }
477 hash = reciprocal_scale(hash, priv->buckets);
478
479 return hash;
480 }
481
482 static int nft_hash_insert(const struct net *net, const struct nft_set *set,
483 const struct nft_set_elem *elem,
484 struct nft_set_ext **ext)
485 {
486 struct nft_hash_elem *this = elem->priv, *he;
487 struct nft_hash *priv = nft_set_priv(set);
488 u8 genmask = nft_genmask_next(net);
489 u32 hash;
490
491 hash = nft_jhash(set, priv, &this->ext);
492 hlist_for_each_entry(he, &priv->table[hash], node) {
493 if (!memcmp(nft_set_ext_key(&this->ext),
494 nft_set_ext_key(&he->ext), set->klen) &&
495 nft_set_elem_active(&he->ext, genmask)) {
496 *ext = &he->ext;
497 return -EEXIST;
498 }
499 }
500 hlist_add_head_rcu(&this->node, &priv->table[hash]);
501 return 0;
502 }
503
504 static void nft_hash_activate(const struct net *net, const struct nft_set *set,
505 const struct nft_set_elem *elem)
506 {
507 struct nft_hash_elem *he = elem->priv;
508
509 nft_set_elem_change_active(net, set, &he->ext);
510 }
511
512 static bool nft_hash_flush(const struct net *net,
513 const struct nft_set *set, void *priv)
514 {
515 struct nft_hash_elem *he = priv;
516
517 nft_set_elem_change_active(net, set, &he->ext);
518 return true;
519 }
520
521 static void *nft_hash_deactivate(const struct net *net,
522 const struct nft_set *set,
523 const struct nft_set_elem *elem)
524 {
525 struct nft_hash *priv = nft_set_priv(set);
526 struct nft_hash_elem *this = elem->priv, *he;
527 u8 genmask = nft_genmask_next(net);
528 u32 hash;
529
530 hash = nft_jhash(set, priv, &this->ext);
531 hlist_for_each_entry(he, &priv->table[hash], node) {
532 if (!memcmp(nft_set_ext_key(&he->ext), &elem->key.val,
533 set->klen) &&
534 nft_set_elem_active(&he->ext, genmask)) {
535 nft_set_elem_change_active(net, set, &he->ext);
536 return he;
537 }
538 }
539 return NULL;
540 }
541
542 static void nft_hash_remove(const struct net *net,
543 const struct nft_set *set,
544 const struct nft_set_elem *elem)
545 {
546 struct nft_hash_elem *he = elem->priv;
547
548 hlist_del_rcu(&he->node);
549 }
550
551 static void nft_hash_walk(const struct nft_ctx *ctx, struct nft_set *set,
552 struct nft_set_iter *iter)
553 {
554 struct nft_hash *priv = nft_set_priv(set);
555 struct nft_hash_elem *he;
556 struct nft_set_elem elem;
557 int i;
558
559 for (i = 0; i < priv->buckets; i++) {
560 hlist_for_each_entry_rcu(he, &priv->table[i], node) {
561 if (iter->count < iter->skip)
562 goto cont;
563 if (!nft_set_elem_active(&he->ext, iter->genmask))
564 goto cont;
565
566 elem.priv = he;
567
568 iter->err = iter->fn(ctx, set, iter, &elem);
569 if (iter->err < 0)
570 return;
571 cont:
572 iter->count++;
573 }
574 }
575 }
576
577 static u64 nft_hash_privsize(const struct nlattr * const nla[],
578 const struct nft_set_desc *desc)
579 {
580 return sizeof(struct nft_hash) +
581 nft_hash_buckets(desc->size) * sizeof(struct hlist_head);
582 }
583
584 static int nft_hash_init(const struct nft_set *set,
585 const struct nft_set_desc *desc,
586 const struct nlattr * const tb[])
587 {
588 struct nft_hash *priv = nft_set_priv(set);
589
590 priv->buckets = nft_hash_buckets(desc->size);
591 get_random_bytes(&priv->seed, sizeof(priv->seed));
592
593 return 0;
594 }
595
596 static void nft_hash_destroy(const struct nft_set *set)
597 {
598 struct nft_hash *priv = nft_set_priv(set);
599 struct nft_hash_elem *he;
600 struct hlist_node *next;
601 int i;
602
603 for (i = 0; i < priv->buckets; i++) {
604 hlist_for_each_entry_safe(he, next, &priv->table[i], node) {
605 hlist_del_rcu(&he->node);
606 nft_set_elem_destroy(set, he, true);
607 }
608 }
609 }
610
611 static bool nft_hash_estimate(const struct nft_set_desc *desc, u32 features,
612 struct nft_set_estimate *est)
613 {
614 if (!desc->size)
615 return false;
616
617 if (desc->klen == 4)
618 return false;
619
620 est->size = sizeof(struct nft_hash) +
621 nft_hash_buckets(desc->size) * sizeof(struct hlist_head) +
622 desc->size * sizeof(struct nft_hash_elem);
623 est->lookup = NFT_SET_CLASS_O_1;
624 est->space = NFT_SET_CLASS_O_N;
625
626 return true;
627 }
628
629 static bool nft_hash_fast_estimate(const struct nft_set_desc *desc, u32 features,
630 struct nft_set_estimate *est)
631 {
632 if (!desc->size)
633 return false;
634
635 if (desc->klen != 4)
636 return false;
637
638 est->size = sizeof(struct nft_hash) +
639 nft_hash_buckets(desc->size) * sizeof(struct hlist_head) +
640 desc->size * sizeof(struct nft_hash_elem);
641 est->lookup = NFT_SET_CLASS_O_1;
642 est->space = NFT_SET_CLASS_O_N;
643
644 return true;
645 }
646
647 struct nft_set_type nft_set_rhash_type __read_mostly = {
648 .owner = THIS_MODULE,
649 .features = NFT_SET_MAP | NFT_SET_OBJECT |
650 NFT_SET_TIMEOUT | NFT_SET_EVAL,
651 .ops = {
652 .privsize = nft_rhash_privsize,
653 .elemsize = offsetof(struct nft_rhash_elem, ext),
654 .estimate = nft_rhash_estimate,
655 .init = nft_rhash_init,
656 .gc_init = nft_rhash_gc_init,
657 .destroy = nft_rhash_destroy,
658 .insert = nft_rhash_insert,
659 .activate = nft_rhash_activate,
660 .deactivate = nft_rhash_deactivate,
661 .flush = nft_rhash_flush,
662 .remove = nft_rhash_remove,
663 .lookup = nft_rhash_lookup,
664 .update = nft_rhash_update,
665 .walk = nft_rhash_walk,
666 .get = nft_rhash_get,
667 },
668 };
669
670 struct nft_set_type nft_set_hash_type __read_mostly = {
671 .owner = THIS_MODULE,
672 .features = NFT_SET_MAP | NFT_SET_OBJECT,
673 .ops = {
674 .privsize = nft_hash_privsize,
675 .elemsize = offsetof(struct nft_hash_elem, ext),
676 .estimate = nft_hash_estimate,
677 .init = nft_hash_init,
678 .destroy = nft_hash_destroy,
679 .insert = nft_hash_insert,
680 .activate = nft_hash_activate,
681 .deactivate = nft_hash_deactivate,
682 .flush = nft_hash_flush,
683 .remove = nft_hash_remove,
684 .lookup = nft_hash_lookup,
685 .walk = nft_hash_walk,
686 .get = nft_hash_get,
687 },
688 };
689
690 struct nft_set_type nft_set_hash_fast_type __read_mostly = {
691 .owner = THIS_MODULE,
692 .features = NFT_SET_MAP | NFT_SET_OBJECT,
693 .ops = {
694 .privsize = nft_hash_privsize,
695 .elemsize = offsetof(struct nft_hash_elem, ext),
696 .estimate = nft_hash_fast_estimate,
697 .init = nft_hash_init,
698 .destroy = nft_hash_destroy,
699 .insert = nft_hash_insert,
700 .activate = nft_hash_activate,
701 .deactivate = nft_hash_deactivate,
702 .flush = nft_hash_flush,
703 .remove = nft_hash_remove,
704 .lookup = nft_hash_lookup_fast,
705 .walk = nft_hash_walk,
706 .get = nft_hash_get,
707 },
708 };
Ubuntu Hirsute Linux kernel mirror