Skip to content

Commit 37f319f

Browse files
ummakynesummakynes
committed
netfilter: nft_connlimit: move stateful fields out of expression data
In preparation for the rule blob representation. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
1 parent 6316136 commit 37f319f

File tree

1 file changed

+18
-8
lines changed

1 file changed

+18
-8
lines changed

net/netfilter/nft_connlimit.c

Lines changed: 18 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@
1414
#include <net/netfilter/nf_conntrack_zones.h>
1515

1616
struct nft_connlimit {
17-
struct nf_conncount_list list;
17+
struct nf_conncount_list *list;
1818
u32 limit;
1919
bool invert;
2020
};
@@ -43,12 +43,12 @@ static inline void nft_connlimit_do_eval(struct nft_connlimit *priv,
4343
return;
4444
}
4545

46-
if (nf_conncount_add(nft_net(pkt), &priv->list, tuple_ptr, zone)) {
46+
if (nf_conncount_add(nft_net(pkt), priv->list, tuple_ptr, zone)) {
4747
regs->verdict.code = NF_DROP;
4848
return;
4949
}
5050

51-
count = priv->list.count;
51+
count = priv->list->count;
5252

5353
if ((count > priv->limit) ^ priv->invert) {
5454
regs->verdict.code = NFT_BREAK;
@@ -76,7 +76,11 @@ static int nft_connlimit_do_init(const struct nft_ctx *ctx,
7676
invert = true;
7777
}
7878

79-
nf_conncount_list_init(&priv->list);
79+
priv->list = kmalloc(sizeof(*priv->list), GFP_KERNEL);
80+
if (!priv->list)
81+
return -ENOMEM;
82+
83+
nf_conncount_list_init(priv->list);
8084
priv->limit = limit;
8185
priv->invert = invert;
8286

@@ -87,7 +91,8 @@ static void nft_connlimit_do_destroy(const struct nft_ctx *ctx,
8791
struct nft_connlimit *priv)
8892
{
8993
nf_ct_netns_put(ctx->net, ctx->family);
90-
nf_conncount_cache_free(&priv->list);
94+
nf_conncount_cache_free(priv->list);
95+
kfree(priv->list);
9196
}
9297

9398
static int nft_connlimit_do_dump(struct sk_buff *skb,
@@ -200,7 +205,11 @@ static int nft_connlimit_clone(struct nft_expr *dst, const struct nft_expr *src)
200205
struct nft_connlimit *priv_dst = nft_expr_priv(dst);
201206
struct nft_connlimit *priv_src = nft_expr_priv(src);
202207

203-
nf_conncount_list_init(&priv_dst->list);
208+
priv_dst->list = kmalloc(sizeof(*priv_dst->list), GFP_ATOMIC);
209+
if (priv_dst->list)
210+
return -ENOMEM;
211+
212+
nf_conncount_list_init(priv_dst->list);
204213
priv_dst->limit = priv_src->limit;
205214
priv_dst->invert = priv_src->invert;
206215

@@ -212,7 +221,8 @@ static void nft_connlimit_destroy_clone(const struct nft_ctx *ctx,
212221
{
213222
struct nft_connlimit *priv = nft_expr_priv(expr);
214223

215-
nf_conncount_cache_free(&priv->list);
224+
nf_conncount_cache_free(priv->list);
225+
kfree(priv->list);
216226
}
217227

218228
static bool nft_connlimit_gc(struct net *net, const struct nft_expr *expr)
@@ -221,7 +231,7 @@ static bool nft_connlimit_gc(struct net *net, const struct nft_expr *expr)
221231
bool ret;
222232

223233
local_bh_disable();
224-
ret = nf_conncount_gc_list(net, &priv->list);
234+
ret = nf_conncount_gc_list(net, priv->list);
225235
local_bh_enable();
226236

227237
return ret;

0 commit comments

Comments
 (0)