1 // SPDX-License-Identifier: GPL-2.0-only
3 * Copyright (c) 2008-2014 Patrick McHardy <kaber@trash.net>
5 * Development of this code funded by Astaro AG (http://www.astaro.com/)
8 #include <linux/kernel.h>
9 #include <linux/init.h>
10 #include <linux/module.h>
11 #include <linux/list.h>
12 #include <linux/log2.h>
13 #include <linux/jhash.h>
14 #include <linux/netlink.h>
15 #include <linux/workqueue.h>
16 #include <linux/rhashtable.h>
17 #include <linux/netfilter.h>
18 #include <linux/netfilter/nf_tables.h>
19 #include <net/netfilter/nf_tables_core.h>
21 /* We target a hash table size of 4, element hint is 75% of final size */
22 #define NFT_RHASH_ELEMENT_HINT 3
26 struct delayed_work gc_work;
29 struct nft_rhash_elem {
30 struct nft_elem_priv priv;
31 struct rhash_head node;
32 struct nft_set_ext ext;
35 struct nft_rhash_cmp_arg {
36 const struct nft_set *set;
41 static inline u32 nft_rhash_key(const void *data, u32 len, u32 seed)
43 const struct nft_rhash_cmp_arg *arg = data;
45 return jhash(arg->key, len, seed);
48 static inline u32 nft_rhash_obj(const void *data, u32 len, u32 seed)
50 const struct nft_rhash_elem *he = data;
52 return jhash(nft_set_ext_key(&he->ext), len, seed);
55 static inline int nft_rhash_cmp(struct rhashtable_compare_arg *arg,
58 const struct nft_rhash_cmp_arg *x = arg->key;
59 const struct nft_rhash_elem *he = ptr;
61 if (memcmp(nft_set_ext_key(&he->ext), x->key, x->set->klen))
63 if (nft_set_elem_is_dead(&he->ext))
65 if (nft_set_elem_expired(&he->ext))
67 if (!nft_set_elem_active(&he->ext, x->genmask))
72 static const struct rhashtable_params nft_rhash_params = {
73 .head_offset = offsetof(struct nft_rhash_elem, node),
74 .hashfn = nft_rhash_key,
75 .obj_hashfn = nft_rhash_obj,
76 .obj_cmpfn = nft_rhash_cmp,
77 .automatic_shrinking = true,
80 INDIRECT_CALLABLE_SCOPE
81 bool nft_rhash_lookup(const struct net *net, const struct nft_set *set,
82 const u32 *key, const struct nft_set_ext **ext)
84 struct nft_rhash *priv = nft_set_priv(set);
85 const struct nft_rhash_elem *he;
86 struct nft_rhash_cmp_arg arg = {
87 .genmask = nft_genmask_cur(net),
92 he = rhashtable_lookup(&priv->ht, &arg, nft_rhash_params);
99 static struct nft_elem_priv *
100 nft_rhash_get(const struct net *net, const struct nft_set *set,
101 const struct nft_set_elem *elem, unsigned int flags)
103 struct nft_rhash *priv = nft_set_priv(set);
104 struct nft_rhash_elem *he;
105 struct nft_rhash_cmp_arg arg = {
106 .genmask = nft_genmask_cur(net),
108 .key = elem->key.val.data,
111 he = rhashtable_lookup(&priv->ht, &arg, nft_rhash_params);
115 return ERR_PTR(-ENOENT);
118 static bool nft_rhash_update(struct nft_set *set, const u32 *key,
119 struct nft_elem_priv *
120 (*new)(struct nft_set *,
121 const struct nft_expr *,
122 struct nft_regs *regs),
123 const struct nft_expr *expr,
124 struct nft_regs *regs,
125 const struct nft_set_ext **ext)
127 struct nft_rhash *priv = nft_set_priv(set);
128 struct nft_rhash_elem *he, *prev;
129 struct nft_elem_priv *elem_priv;
130 struct nft_rhash_cmp_arg arg = {
131 .genmask = NFT_GENMASK_ANY,
136 he = rhashtable_lookup(&priv->ht, &arg, nft_rhash_params);
140 elem_priv = new(set, expr, regs);
144 he = nft_elem_priv_cast(elem_priv);
145 prev = rhashtable_lookup_get_insert_key(&priv->ht, &arg, &he->node,
150 /* Another cpu may race to insert the element with the same key */
152 nft_set_elem_destroy(set, &he->priv, true);
153 atomic_dec(&set->nelems);
162 nft_set_elem_destroy(set, &he->priv, true);
163 atomic_dec(&set->nelems);
168 static int nft_rhash_insert(const struct net *net, const struct nft_set *set,
169 const struct nft_set_elem *elem,
170 struct nft_set_ext **ext)
172 struct nft_rhash_elem *he = nft_elem_priv_cast(elem->priv);
173 struct nft_rhash *priv = nft_set_priv(set);
174 struct nft_rhash_cmp_arg arg = {
175 .genmask = nft_genmask_next(net),
177 .key = elem->key.val.data,
179 struct nft_rhash_elem *prev;
181 prev = rhashtable_lookup_get_insert_key(&priv->ht, &arg, &he->node,
184 return PTR_ERR(prev);
192 static void nft_rhash_activate(const struct net *net, const struct nft_set *set,
193 struct nft_elem_priv *elem_priv)
195 struct nft_rhash_elem *he = nft_elem_priv_cast(elem_priv);
197 nft_set_elem_change_active(net, set, &he->ext);
200 static void nft_rhash_flush(const struct net *net,
201 const struct nft_set *set,
202 struct nft_elem_priv *elem_priv)
204 struct nft_rhash_elem *he = nft_elem_priv_cast(elem_priv);
206 nft_set_elem_change_active(net, set, &he->ext);
209 static struct nft_elem_priv *
210 nft_rhash_deactivate(const struct net *net, const struct nft_set *set,
211 const struct nft_set_elem *elem)
213 struct nft_rhash *priv = nft_set_priv(set);
214 struct nft_rhash_elem *he;
215 struct nft_rhash_cmp_arg arg = {
216 .genmask = nft_genmask_next(net),
218 .key = elem->key.val.data,
222 he = rhashtable_lookup(&priv->ht, &arg, nft_rhash_params);
224 nft_set_elem_change_active(net, set, &he->ext);
231 static void nft_rhash_remove(const struct net *net,
232 const struct nft_set *set,
233 struct nft_elem_priv *elem_priv)
235 struct nft_rhash_elem *he = nft_elem_priv_cast(elem_priv);
236 struct nft_rhash *priv = nft_set_priv(set);
238 rhashtable_remove_fast(&priv->ht, &he->node, nft_rhash_params);
241 static bool nft_rhash_delete(const struct nft_set *set,
244 struct nft_rhash *priv = nft_set_priv(set);
245 struct nft_rhash_cmp_arg arg = {
246 .genmask = NFT_GENMASK_ANY,
250 struct nft_rhash_elem *he;
252 he = rhashtable_lookup(&priv->ht, &arg, nft_rhash_params);
256 nft_set_elem_dead(&he->ext);
261 static void nft_rhash_walk(const struct nft_ctx *ctx, struct nft_set *set,
262 struct nft_set_iter *iter)
264 struct nft_rhash *priv = nft_set_priv(set);
265 struct nft_rhash_elem *he;
266 struct rhashtable_iter hti;
268 rhashtable_walk_enter(&priv->ht, &hti);
269 rhashtable_walk_start(&hti);
271 while ((he = rhashtable_walk_next(&hti))) {
273 if (PTR_ERR(he) != -EAGAIN) {
274 iter->err = PTR_ERR(he);
281 if (iter->count < iter->skip)
283 if (!nft_set_elem_active(&he->ext, iter->genmask))
286 iter->err = iter->fn(ctx, set, iter, &he->priv);
293 rhashtable_walk_stop(&hti);
294 rhashtable_walk_exit(&hti);
297 static bool nft_rhash_expr_needs_gc_run(const struct nft_set *set,
298 struct nft_set_ext *ext)
300 struct nft_set_elem_expr *elem_expr = nft_set_ext_expr(ext);
301 struct nft_expr *expr;
304 nft_setelem_expr_foreach(expr, elem_expr, size) {
306 expr->ops->gc(read_pnet(&set->net), expr))
313 static void nft_rhash_gc(struct work_struct *work)
315 struct nftables_pernet *nft_net;
317 struct nft_rhash_elem *he;
318 struct nft_rhash *priv;
319 struct rhashtable_iter hti;
320 struct nft_trans_gc *gc;
324 priv = container_of(work, struct nft_rhash, gc_work.work);
325 set = nft_set_container_of(priv);
326 net = read_pnet(&set->net);
327 nft_net = nft_pernet(net);
328 gc_seq = READ_ONCE(nft_net->gc_seq);
330 if (nft_set_gc_is_pending(set))
333 gc = nft_trans_gc_alloc(set, gc_seq, GFP_KERNEL);
337 rhashtable_walk_enter(&priv->ht, &hti);
338 rhashtable_walk_start(&hti);
340 while ((he = rhashtable_walk_next(&hti))) {
342 nft_trans_gc_destroy(gc);
347 /* Ruleset has been updated, try later. */
348 if (READ_ONCE(nft_net->gc_seq) != gc_seq) {
349 nft_trans_gc_destroy(gc);
354 if (nft_set_elem_is_dead(&he->ext))
357 if (nft_set_ext_exists(&he->ext, NFT_SET_EXT_EXPRESSIONS) &&
358 nft_rhash_expr_needs_gc_run(set, &he->ext))
361 if (!nft_set_elem_expired(&he->ext))
364 nft_set_elem_dead(&he->ext);
366 gc = nft_trans_gc_queue_async(gc, gc_seq, GFP_ATOMIC);
370 nft_trans_gc_elem_add(gc, he);
373 gc = nft_trans_gc_catchall_async(gc, gc_seq);
376 /* catchall list iteration requires rcu read side lock. */
377 rhashtable_walk_stop(&hti);
378 rhashtable_walk_exit(&hti);
381 nft_trans_gc_queue_async_done(gc);
384 queue_delayed_work(system_power_efficient_wq, &priv->gc_work,
385 nft_set_gc_interval(set));
388 static u64 nft_rhash_privsize(const struct nlattr * const nla[],
389 const struct nft_set_desc *desc)
391 return sizeof(struct nft_rhash);
394 static void nft_rhash_gc_init(const struct nft_set *set)
396 struct nft_rhash *priv = nft_set_priv(set);
398 queue_delayed_work(system_power_efficient_wq, &priv->gc_work,
399 nft_set_gc_interval(set));
402 static int nft_rhash_init(const struct nft_set *set,
403 const struct nft_set_desc *desc,
404 const struct nlattr * const tb[])
406 struct nft_rhash *priv = nft_set_priv(set);
407 struct rhashtable_params params = nft_rhash_params;
410 BUILD_BUG_ON(offsetof(struct nft_rhash_elem, priv) != 0);
412 params.nelem_hint = desc->size ?: NFT_RHASH_ELEMENT_HINT;
413 params.key_len = set->klen;
415 err = rhashtable_init(&priv->ht, ¶ms);
419 INIT_DEFERRABLE_WORK(&priv->gc_work, nft_rhash_gc);
420 if (set->flags & (NFT_SET_TIMEOUT | NFT_SET_EVAL))
421 nft_rhash_gc_init(set);
426 struct nft_rhash_ctx {
427 const struct nft_ctx ctx;
428 const struct nft_set *set;
431 static void nft_rhash_elem_destroy(void *ptr, void *arg)
433 struct nft_rhash_ctx *rhash_ctx = arg;
434 struct nft_rhash_elem *he = ptr;
436 nf_tables_set_elem_destroy(&rhash_ctx->ctx, rhash_ctx->set, &he->priv);
439 static void nft_rhash_destroy(const struct nft_ctx *ctx,
440 const struct nft_set *set)
442 struct nft_rhash *priv = nft_set_priv(set);
443 struct nft_rhash_ctx rhash_ctx = {
448 cancel_delayed_work_sync(&priv->gc_work);
449 rhashtable_free_and_destroy(&priv->ht, nft_rhash_elem_destroy,
453 /* Number of buckets is stored in u32, so cap our result to 1U<<31 */
454 #define NFT_MAX_BUCKETS (1U << 31)
456 static u32 nft_hash_buckets(u32 size)
458 u64 val = div_u64((u64)size * 4, 3);
460 if (val >= NFT_MAX_BUCKETS)
461 return NFT_MAX_BUCKETS;
463 return roundup_pow_of_two(val);
466 static bool nft_rhash_estimate(const struct nft_set_desc *desc, u32 features,
467 struct nft_set_estimate *est)
470 est->lookup = NFT_SET_CLASS_O_1;
471 est->space = NFT_SET_CLASS_O_N;
479 struct hlist_head table[];
482 struct nft_hash_elem {
483 struct nft_elem_priv priv;
484 struct hlist_node node;
485 struct nft_set_ext ext;
488 INDIRECT_CALLABLE_SCOPE
489 bool nft_hash_lookup(const struct net *net, const struct nft_set *set,
490 const u32 *key, const struct nft_set_ext **ext)
492 struct nft_hash *priv = nft_set_priv(set);
493 u8 genmask = nft_genmask_cur(net);
494 const struct nft_hash_elem *he;
497 hash = jhash(key, set->klen, priv->seed);
498 hash = reciprocal_scale(hash, priv->buckets);
499 hlist_for_each_entry_rcu(he, &priv->table[hash], node) {
500 if (!memcmp(nft_set_ext_key(&he->ext), key, set->klen) &&
501 nft_set_elem_active(&he->ext, genmask)) {
509 static struct nft_elem_priv *
510 nft_hash_get(const struct net *net, const struct nft_set *set,
511 const struct nft_set_elem *elem, unsigned int flags)
513 struct nft_hash *priv = nft_set_priv(set);
514 u8 genmask = nft_genmask_cur(net);
515 struct nft_hash_elem *he;
518 hash = jhash(elem->key.val.data, set->klen, priv->seed);
519 hash = reciprocal_scale(hash, priv->buckets);
520 hlist_for_each_entry_rcu(he, &priv->table[hash], node) {
521 if (!memcmp(nft_set_ext_key(&he->ext), elem->key.val.data, set->klen) &&
522 nft_set_elem_active(&he->ext, genmask))
525 return ERR_PTR(-ENOENT);
528 INDIRECT_CALLABLE_SCOPE
529 bool nft_hash_lookup_fast(const struct net *net,
530 const struct nft_set *set,
531 const u32 *key, const struct nft_set_ext **ext)
533 struct nft_hash *priv = nft_set_priv(set);
534 u8 genmask = nft_genmask_cur(net);
535 const struct nft_hash_elem *he;
539 hash = jhash_1word(k1, priv->seed);
540 hash = reciprocal_scale(hash, priv->buckets);
541 hlist_for_each_entry_rcu(he, &priv->table[hash], node) {
542 k2 = *(u32 *)nft_set_ext_key(&he->ext)->data;
544 nft_set_elem_active(&he->ext, genmask)) {
552 static u32 nft_jhash(const struct nft_set *set, const struct nft_hash *priv,
553 const struct nft_set_ext *ext)
555 const struct nft_data *key = nft_set_ext_key(ext);
558 if (set->klen == 4) {
560 hash = jhash_1word(k1, priv->seed);
562 hash = jhash(key, set->klen, priv->seed);
564 hash = reciprocal_scale(hash, priv->buckets);
569 static int nft_hash_insert(const struct net *net, const struct nft_set *set,
570 const struct nft_set_elem *elem,
571 struct nft_set_ext **ext)
573 struct nft_hash_elem *this = nft_elem_priv_cast(elem->priv), *he;
574 struct nft_hash *priv = nft_set_priv(set);
575 u8 genmask = nft_genmask_next(net);
578 hash = nft_jhash(set, priv, &this->ext);
579 hlist_for_each_entry(he, &priv->table[hash], node) {
580 if (!memcmp(nft_set_ext_key(&this->ext),
581 nft_set_ext_key(&he->ext), set->klen) &&
582 nft_set_elem_active(&he->ext, genmask)) {
587 hlist_add_head_rcu(&this->node, &priv->table[hash]);
591 static void nft_hash_activate(const struct net *net, const struct nft_set *set,
592 struct nft_elem_priv *elem_priv)
594 struct nft_hash_elem *he = nft_elem_priv_cast(elem_priv);
596 nft_set_elem_change_active(net, set, &he->ext);
599 static void nft_hash_flush(const struct net *net,
600 const struct nft_set *set,
601 struct nft_elem_priv *elem_priv)
603 struct nft_hash_elem *he = nft_elem_priv_cast(elem_priv);
605 nft_set_elem_change_active(net, set, &he->ext);
608 static struct nft_elem_priv *
609 nft_hash_deactivate(const struct net *net, const struct nft_set *set,
610 const struct nft_set_elem *elem)
612 struct nft_hash_elem *this = nft_elem_priv_cast(elem->priv), *he;
613 struct nft_hash *priv = nft_set_priv(set);
614 u8 genmask = nft_genmask_next(net);
617 hash = nft_jhash(set, priv, &this->ext);
618 hlist_for_each_entry(he, &priv->table[hash], node) {
619 if (!memcmp(nft_set_ext_key(&he->ext), &elem->key.val,
621 nft_set_elem_active(&he->ext, genmask)) {
622 nft_set_elem_change_active(net, set, &he->ext);
629 static void nft_hash_remove(const struct net *net,
630 const struct nft_set *set,
631 struct nft_elem_priv *elem_priv)
633 struct nft_hash_elem *he = nft_elem_priv_cast(elem_priv);
635 hlist_del_rcu(&he->node);
638 static void nft_hash_walk(const struct nft_ctx *ctx, struct nft_set *set,
639 struct nft_set_iter *iter)
641 struct nft_hash *priv = nft_set_priv(set);
642 struct nft_hash_elem *he;
645 for (i = 0; i < priv->buckets; i++) {
646 hlist_for_each_entry_rcu(he, &priv->table[i], node) {
647 if (iter->count < iter->skip)
649 if (!nft_set_elem_active(&he->ext, iter->genmask))
652 iter->err = iter->fn(ctx, set, iter, &he->priv);
661 static u64 nft_hash_privsize(const struct nlattr * const nla[],
662 const struct nft_set_desc *desc)
664 return sizeof(struct nft_hash) +
665 (u64)nft_hash_buckets(desc->size) * sizeof(struct hlist_head);
668 static int nft_hash_init(const struct nft_set *set,
669 const struct nft_set_desc *desc,
670 const struct nlattr * const tb[])
672 struct nft_hash *priv = nft_set_priv(set);
674 priv->buckets = nft_hash_buckets(desc->size);
675 get_random_bytes(&priv->seed, sizeof(priv->seed));
680 static void nft_hash_destroy(const struct nft_ctx *ctx,
681 const struct nft_set *set)
683 struct nft_hash *priv = nft_set_priv(set);
684 struct nft_hash_elem *he;
685 struct hlist_node *next;
688 for (i = 0; i < priv->buckets; i++) {
689 hlist_for_each_entry_safe(he, next, &priv->table[i], node) {
690 hlist_del_rcu(&he->node);
691 nf_tables_set_elem_destroy(ctx, set, &he->priv);
696 static bool nft_hash_estimate(const struct nft_set_desc *desc, u32 features,
697 struct nft_set_estimate *est)
705 est->size = sizeof(struct nft_hash) +
706 (u64)nft_hash_buckets(desc->size) * sizeof(struct hlist_head) +
707 (u64)desc->size * sizeof(struct nft_hash_elem);
708 est->lookup = NFT_SET_CLASS_O_1;
709 est->space = NFT_SET_CLASS_O_N;
714 static bool nft_hash_fast_estimate(const struct nft_set_desc *desc, u32 features,
715 struct nft_set_estimate *est)
723 est->size = sizeof(struct nft_hash) +
724 (u64)nft_hash_buckets(desc->size) * sizeof(struct hlist_head) +
725 (u64)desc->size * sizeof(struct nft_hash_elem);
726 est->lookup = NFT_SET_CLASS_O_1;
727 est->space = NFT_SET_CLASS_O_N;
732 const struct nft_set_type nft_set_rhash_type = {
733 .features = NFT_SET_MAP | NFT_SET_OBJECT |
734 NFT_SET_TIMEOUT | NFT_SET_EVAL,
736 .privsize = nft_rhash_privsize,
737 .elemsize = offsetof(struct nft_rhash_elem, ext),
738 .estimate = nft_rhash_estimate,
739 .init = nft_rhash_init,
740 .gc_init = nft_rhash_gc_init,
741 .destroy = nft_rhash_destroy,
742 .insert = nft_rhash_insert,
743 .activate = nft_rhash_activate,
744 .deactivate = nft_rhash_deactivate,
745 .flush = nft_rhash_flush,
746 .remove = nft_rhash_remove,
747 .lookup = nft_rhash_lookup,
748 .update = nft_rhash_update,
749 .delete = nft_rhash_delete,
750 .walk = nft_rhash_walk,
751 .get = nft_rhash_get,
755 const struct nft_set_type nft_set_hash_type = {
756 .features = NFT_SET_MAP | NFT_SET_OBJECT,
758 .privsize = nft_hash_privsize,
759 .elemsize = offsetof(struct nft_hash_elem, ext),
760 .estimate = nft_hash_estimate,
761 .init = nft_hash_init,
762 .destroy = nft_hash_destroy,
763 .insert = nft_hash_insert,
764 .activate = nft_hash_activate,
765 .deactivate = nft_hash_deactivate,
766 .flush = nft_hash_flush,
767 .remove = nft_hash_remove,
768 .lookup = nft_hash_lookup,
769 .walk = nft_hash_walk,
774 const struct nft_set_type nft_set_hash_fast_type = {
775 .features = NFT_SET_MAP | NFT_SET_OBJECT,
777 .privsize = nft_hash_privsize,
778 .elemsize = offsetof(struct nft_hash_elem, ext),
779 .estimate = nft_hash_fast_estimate,
780 .init = nft_hash_init,
781 .destroy = nft_hash_destroy,
782 .insert = nft_hash_insert,
783 .activate = nft_hash_activate,
784 .deactivate = nft_hash_deactivate,
785 .flush = nft_hash_flush,
786 .remove = nft_hash_remove,
787 .lookup = nft_hash_lookup_fast,
788 .walk = nft_hash_walk,
projects / linux-2.6-microblaze.git / blob