1 // SPDX-License-Identifier: GPL-2.0-only
3 * Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net>
5 * Development of this code funded by Astaro AG (http://www.astaro.com/)
8 #include <linux/kernel.h>
9 #include <linux/init.h>
10 #include <linux/module.h>
11 #include <linux/list.h>
12 #include <linux/rbtree.h>
13 #include <linux/netlink.h>
14 #include <linux/netfilter.h>
15 #include <linux/netfilter/nf_tables.h>
16 #include <net/netfilter/nf_tables_core.h>
21 seqcount_rwlock_t count;
22 unsigned long last_gc;
25 struct nft_rbtree_elem {
26 struct nft_elem_priv priv;
28 struct nft_set_ext ext;
31 static bool nft_rbtree_interval_end(const struct nft_rbtree_elem *rbe)
33 return nft_set_ext_exists(&rbe->ext, NFT_SET_EXT_FLAGS) &&
34 (*nft_set_ext_flags(&rbe->ext) & NFT_SET_ELEM_INTERVAL_END);
37 static bool nft_rbtree_interval_start(const struct nft_rbtree_elem *rbe)
39 return !nft_rbtree_interval_end(rbe);
42 static int nft_rbtree_cmp(const struct nft_set *set,
43 const struct nft_rbtree_elem *e1,
44 const struct nft_rbtree_elem *e2)
46 return memcmp(nft_set_ext_key(&e1->ext), nft_set_ext_key(&e2->ext),
50 static bool nft_rbtree_elem_expired(const struct nft_rbtree_elem *rbe)
52 return nft_set_elem_expired(&rbe->ext);
55 static bool __nft_rbtree_lookup(const struct net *net, const struct nft_set *set,
56 const u32 *key, const struct nft_set_ext **ext,
59 struct nft_rbtree *priv = nft_set_priv(set);
60 const struct nft_rbtree_elem *rbe, *interval = NULL;
61 u8 genmask = nft_genmask_cur(net);
62 const struct rb_node *parent;
65 parent = rcu_dereference_raw(priv->root.rb_node);
66 while (parent != NULL) {
67 if (read_seqcount_retry(&priv->count, seq))
70 rbe = rb_entry(parent, struct nft_rbtree_elem, node);
72 d = memcmp(nft_set_ext_key(&rbe->ext), key, set->klen);
74 parent = rcu_dereference_raw(parent->rb_left);
76 !nft_rbtree_cmp(set, rbe, interval) &&
77 nft_rbtree_interval_end(rbe) &&
78 nft_rbtree_interval_start(interval))
82 parent = rcu_dereference_raw(parent->rb_right);
84 if (!nft_set_elem_active(&rbe->ext, genmask)) {
85 parent = rcu_dereference_raw(parent->rb_left);
89 if (nft_rbtree_elem_expired(rbe))
92 if (nft_rbtree_interval_end(rbe)) {
93 if (nft_set_is_anonymous(set))
95 parent = rcu_dereference_raw(parent->rb_left);
105 if (set->flags & NFT_SET_INTERVAL && interval != NULL &&
106 nft_set_elem_active(&interval->ext, genmask) &&
107 !nft_rbtree_elem_expired(interval) &&
108 nft_rbtree_interval_start(interval)) {
109 *ext = &interval->ext;
116 INDIRECT_CALLABLE_SCOPE
117 bool nft_rbtree_lookup(const struct net *net, const struct nft_set *set,
118 const u32 *key, const struct nft_set_ext **ext)
120 struct nft_rbtree *priv = nft_set_priv(set);
121 unsigned int seq = read_seqcount_begin(&priv->count);
124 ret = __nft_rbtree_lookup(net, set, key, ext, seq);
125 if (ret || !read_seqcount_retry(&priv->count, seq))
128 read_lock_bh(&priv->lock);
129 seq = read_seqcount_begin(&priv->count);
130 ret = __nft_rbtree_lookup(net, set, key, ext, seq);
131 read_unlock_bh(&priv->lock);
136 static bool __nft_rbtree_get(const struct net *net, const struct nft_set *set,
137 const u32 *key, struct nft_rbtree_elem **elem,
138 unsigned int seq, unsigned int flags, u8 genmask)
140 struct nft_rbtree_elem *rbe, *interval = NULL;
141 struct nft_rbtree *priv = nft_set_priv(set);
142 const struct rb_node *parent;
146 parent = rcu_dereference_raw(priv->root.rb_node);
147 while (parent != NULL) {
148 if (read_seqcount_retry(&priv->count, seq))
151 rbe = rb_entry(parent, struct nft_rbtree_elem, node);
153 this = nft_set_ext_key(&rbe->ext);
154 d = memcmp(this, key, set->klen);
156 parent = rcu_dereference_raw(parent->rb_left);
157 if (!(flags & NFT_SET_ELEM_INTERVAL_END))
160 parent = rcu_dereference_raw(parent->rb_right);
161 if (flags & NFT_SET_ELEM_INTERVAL_END)
164 if (!nft_set_elem_active(&rbe->ext, genmask)) {
165 parent = rcu_dereference_raw(parent->rb_left);
169 if (nft_set_elem_expired(&rbe->ext))
172 if (!nft_set_ext_exists(&rbe->ext, NFT_SET_EXT_FLAGS) ||
173 (*nft_set_ext_flags(&rbe->ext) & NFT_SET_ELEM_INTERVAL_END) ==
174 (flags & NFT_SET_ELEM_INTERVAL_END)) {
179 if (nft_rbtree_interval_end(rbe))
182 parent = rcu_dereference_raw(parent->rb_left);
186 if (set->flags & NFT_SET_INTERVAL && interval != NULL &&
187 nft_set_elem_active(&interval->ext, genmask) &&
188 !nft_set_elem_expired(&interval->ext) &&
189 ((!nft_rbtree_interval_end(interval) &&
190 !(flags & NFT_SET_ELEM_INTERVAL_END)) ||
191 (nft_rbtree_interval_end(interval) &&
192 (flags & NFT_SET_ELEM_INTERVAL_END)))) {
200 static struct nft_elem_priv *
201 nft_rbtree_get(const struct net *net, const struct nft_set *set,
202 const struct nft_set_elem *elem, unsigned int flags)
204 struct nft_rbtree *priv = nft_set_priv(set);
205 unsigned int seq = read_seqcount_begin(&priv->count);
206 struct nft_rbtree_elem *rbe = ERR_PTR(-ENOENT);
207 const u32 *key = (const u32 *)&elem->key.val;
208 u8 genmask = nft_genmask_cur(net);
211 ret = __nft_rbtree_get(net, set, key, &rbe, seq, flags, genmask);
212 if (ret || !read_seqcount_retry(&priv->count, seq))
215 read_lock_bh(&priv->lock);
216 seq = read_seqcount_begin(&priv->count);
217 ret = __nft_rbtree_get(net, set, key, &rbe, seq, flags, genmask);
218 read_unlock_bh(&priv->lock);
221 return ERR_PTR(-ENOENT);
226 static void nft_rbtree_gc_elem_remove(struct net *net, struct nft_set *set,
227 struct nft_rbtree *priv,
228 struct nft_rbtree_elem *rbe)
230 lockdep_assert_held_write(&priv->lock);
231 nft_setelem_data_deactivate(net, set, &rbe->priv);
232 rb_erase(&rbe->node, &priv->root);
235 static const struct nft_rbtree_elem *
236 nft_rbtree_gc_elem(const struct nft_set *__set, struct nft_rbtree *priv,
237 struct nft_rbtree_elem *rbe, u8 genmask)
239 struct nft_set *set = (struct nft_set *)__set;
240 struct rb_node *prev = rb_prev(&rbe->node);
241 struct net *net = read_pnet(&set->net);
242 struct nft_rbtree_elem *rbe_prev;
243 struct nft_trans_gc *gc;
245 gc = nft_trans_gc_alloc(set, 0, GFP_ATOMIC);
247 return ERR_PTR(-ENOMEM);
249 /* search for end interval coming before this element.
250 * end intervals don't carry a timeout extension, they
251 * are coupled with the interval start element.
254 rbe_prev = rb_entry(prev, struct nft_rbtree_elem, node);
255 if (nft_rbtree_interval_end(rbe_prev) &&
256 nft_set_elem_active(&rbe_prev->ext, genmask))
259 prev = rb_prev(prev);
264 rbe_prev = rb_entry(prev, struct nft_rbtree_elem, node);
265 nft_rbtree_gc_elem_remove(net, set, priv, rbe_prev);
267 /* There is always room in this trans gc for this element,
268 * memory allocation never actually happens, hence, the warning
269 * splat in such case. No need to set NFT_SET_ELEM_DEAD_BIT,
270 * this is synchronous gc which never fails.
272 gc = nft_trans_gc_queue_sync(gc, GFP_ATOMIC);
273 if (WARN_ON_ONCE(!gc))
274 return ERR_PTR(-ENOMEM);
276 nft_trans_gc_elem_add(gc, rbe_prev);
279 nft_rbtree_gc_elem_remove(net, set, priv, rbe);
280 gc = nft_trans_gc_queue_sync(gc, GFP_ATOMIC);
281 if (WARN_ON_ONCE(!gc))
282 return ERR_PTR(-ENOMEM);
284 nft_trans_gc_elem_add(gc, rbe);
286 nft_trans_gc_queue_sync_done(gc);
291 static bool nft_rbtree_update_first(const struct nft_set *set,
292 struct nft_rbtree_elem *rbe,
293 struct rb_node *first)
295 struct nft_rbtree_elem *first_elem;
297 first_elem = rb_entry(first, struct nft_rbtree_elem, node);
298 /* this element is closest to where the new element is to be inserted:
299 * update the first element for the node list path.
301 if (nft_rbtree_cmp(set, rbe, first_elem) < 0)
307 static int __nft_rbtree_insert(const struct net *net, const struct nft_set *set,
308 struct nft_rbtree_elem *new,
309 struct nft_set_ext **ext)
311 struct nft_rbtree_elem *rbe, *rbe_le = NULL, *rbe_ge = NULL;
312 struct rb_node *node, *next, *parent, **p, *first = NULL;
313 struct nft_rbtree *priv = nft_set_priv(set);
314 u8 cur_genmask = nft_genmask_cur(net);
315 u8 genmask = nft_genmask_next(net);
318 /* Descend the tree to search for an existing element greater than the
319 * key value to insert that is greater than the new element. This is the
320 * first element to walk the ordered elements to find possible overlap.
323 p = &priv->root.rb_node;
326 rbe = rb_entry(parent, struct nft_rbtree_elem, node);
327 d = nft_rbtree_cmp(set, rbe, new);
330 p = &parent->rb_left;
333 nft_rbtree_update_first(set, rbe, first))
336 p = &parent->rb_right;
338 if (nft_rbtree_interval_end(rbe))
339 p = &parent->rb_left;
341 p = &parent->rb_right;
346 first = rb_first(&priv->root);
348 /* Detect overlap by going through the list of valid tree nodes.
349 * Values stored in the tree are in reversed order, starting from
350 * highest to lowest value.
352 for (node = first; node != NULL; node = next) {
353 next = rb_next(node);
355 rbe = rb_entry(node, struct nft_rbtree_elem, node);
357 if (!nft_set_elem_active(&rbe->ext, genmask))
360 /* perform garbage collection to avoid bogus overlap reports
361 * but skip new elements in this transaction.
363 if (nft_set_elem_expired(&rbe->ext) &&
364 nft_set_elem_active(&rbe->ext, cur_genmask)) {
365 const struct nft_rbtree_elem *removed_end;
367 removed_end = nft_rbtree_gc_elem(set, priv, rbe, genmask);
368 if (IS_ERR(removed_end))
369 return PTR_ERR(removed_end);
371 if (removed_end == rbe_le || removed_end == rbe_ge)
377 d = nft_rbtree_cmp(set, rbe, new);
379 /* Matching end element: no need to look for an
380 * overlapping greater or equal element.
382 if (nft_rbtree_interval_end(rbe)) {
387 /* first element that is greater or equal to key value. */
393 /* this is a closer more or equal element, update it. */
394 if (nft_rbtree_cmp(set, rbe_ge, new) != 0) {
399 /* element is equal to key value, make sure flags are
400 * the same, an existing more or equal start element
401 * must not be replaced by more or equal end element.
403 if ((nft_rbtree_interval_start(new) &&
404 nft_rbtree_interval_start(rbe_ge)) ||
405 (nft_rbtree_interval_end(new) &&
406 nft_rbtree_interval_end(rbe_ge))) {
411 /* annotate element greater than the new element. */
415 /* annotate element less than the new element. */
421 /* - new start element matching existing start element: full overlap
422 * reported as -EEXIST, cleared by caller if NLM_F_EXCL is not given.
424 if (rbe_ge && !nft_rbtree_cmp(set, new, rbe_ge) &&
425 nft_rbtree_interval_start(rbe_ge) == nft_rbtree_interval_start(new)) {
430 /* - new end element matching existing end element: full overlap
431 * reported as -EEXIST, cleared by caller if NLM_F_EXCL is not given.
433 if (rbe_le && !nft_rbtree_cmp(set, new, rbe_le) &&
434 nft_rbtree_interval_end(rbe_le) == nft_rbtree_interval_end(new)) {
439 /* - new start element with existing closest, less or equal key value
440 * being a start element: partial overlap, reported as -ENOTEMPTY.
441 * Anonymous sets allow for two consecutive start element since they
442 * are constant, skip them to avoid bogus overlap reports.
444 if (!nft_set_is_anonymous(set) && rbe_le &&
445 nft_rbtree_interval_start(rbe_le) && nft_rbtree_interval_start(new))
448 /* - new end element with existing closest, less or equal key value
449 * being a end element: partial overlap, reported as -ENOTEMPTY.
452 nft_rbtree_interval_end(rbe_le) && nft_rbtree_interval_end(new))
455 /* - new end element with existing closest, greater or equal key value
456 * being an end element: partial overlap, reported as -ENOTEMPTY
459 nft_rbtree_interval_end(rbe_ge) && nft_rbtree_interval_end(new))
462 /* Accepted element: pick insertion point depending on key value */
464 p = &priv->root.rb_node;
467 rbe = rb_entry(parent, struct nft_rbtree_elem, node);
468 d = nft_rbtree_cmp(set, rbe, new);
471 p = &parent->rb_left;
473 p = &parent->rb_right;
474 else if (nft_rbtree_interval_end(rbe))
475 p = &parent->rb_left;
477 p = &parent->rb_right;
480 rb_link_node_rcu(&new->node, parent, p);
481 rb_insert_color(&new->node, &priv->root);
485 static int nft_rbtree_insert(const struct net *net, const struct nft_set *set,
486 const struct nft_set_elem *elem,
487 struct nft_set_ext **ext)
489 struct nft_rbtree_elem *rbe = nft_elem_priv_cast(elem->priv);
490 struct nft_rbtree *priv = nft_set_priv(set);
494 if (fatal_signal_pending(current))
499 write_lock_bh(&priv->lock);
500 write_seqcount_begin(&priv->count);
501 err = __nft_rbtree_insert(net, set, rbe, ext);
502 write_seqcount_end(&priv->count);
503 write_unlock_bh(&priv->lock);
504 } while (err == -EAGAIN);
509 static void nft_rbtree_erase(struct nft_rbtree *priv, struct nft_rbtree_elem *rbe)
511 write_lock_bh(&priv->lock);
512 write_seqcount_begin(&priv->count);
513 rb_erase(&rbe->node, &priv->root);
514 write_seqcount_end(&priv->count);
515 write_unlock_bh(&priv->lock);
518 static void nft_rbtree_remove(const struct net *net,
519 const struct nft_set *set,
520 struct nft_elem_priv *elem_priv)
522 struct nft_rbtree_elem *rbe = nft_elem_priv_cast(elem_priv);
523 struct nft_rbtree *priv = nft_set_priv(set);
525 nft_rbtree_erase(priv, rbe);
528 static void nft_rbtree_activate(const struct net *net,
529 const struct nft_set *set,
530 struct nft_elem_priv *elem_priv)
532 struct nft_rbtree_elem *rbe = nft_elem_priv_cast(elem_priv);
534 nft_set_elem_change_active(net, set, &rbe->ext);
537 static void nft_rbtree_flush(const struct net *net,
538 const struct nft_set *set,
539 struct nft_elem_priv *elem_priv)
541 struct nft_rbtree_elem *rbe = nft_elem_priv_cast(elem_priv);
543 nft_set_elem_change_active(net, set, &rbe->ext);
546 static struct nft_elem_priv *
547 nft_rbtree_deactivate(const struct net *net, const struct nft_set *set,
548 const struct nft_set_elem *elem)
550 struct nft_rbtree_elem *rbe, *this = nft_elem_priv_cast(elem->priv);
551 const struct nft_rbtree *priv = nft_set_priv(set);
552 const struct rb_node *parent = priv->root.rb_node;
553 u8 genmask = nft_genmask_next(net);
556 while (parent != NULL) {
557 rbe = rb_entry(parent, struct nft_rbtree_elem, node);
559 d = memcmp(nft_set_ext_key(&rbe->ext), &elem->key.val,
562 parent = parent->rb_left;
564 parent = parent->rb_right;
566 if (nft_rbtree_interval_end(rbe) &&
567 nft_rbtree_interval_start(this)) {
568 parent = parent->rb_left;
570 } else if (nft_rbtree_interval_start(rbe) &&
571 nft_rbtree_interval_end(this)) {
572 parent = parent->rb_right;
574 } else if (nft_set_elem_expired(&rbe->ext)) {
576 } else if (!nft_set_elem_active(&rbe->ext, genmask)) {
577 parent = parent->rb_left;
580 nft_rbtree_flush(net, set, &rbe->priv);
587 static void nft_rbtree_walk(const struct nft_ctx *ctx,
589 struct nft_set_iter *iter)
591 struct nft_rbtree *priv = nft_set_priv(set);
592 struct nft_rbtree_elem *rbe;
593 struct rb_node *node;
595 read_lock_bh(&priv->lock);
596 for (node = rb_first(&priv->root); node != NULL; node = rb_next(node)) {
597 rbe = rb_entry(node, struct nft_rbtree_elem, node);
599 if (iter->count < iter->skip)
601 if (!nft_set_elem_active(&rbe->ext, iter->genmask))
604 iter->err = iter->fn(ctx, set, iter, &rbe->priv);
606 read_unlock_bh(&priv->lock);
612 read_unlock_bh(&priv->lock);
615 static void nft_rbtree_gc_remove(struct net *net, struct nft_set *set,
616 struct nft_rbtree *priv,
617 struct nft_rbtree_elem *rbe)
619 nft_setelem_data_deactivate(net, set, &rbe->priv);
620 nft_rbtree_erase(priv, rbe);
623 static void nft_rbtree_gc(struct nft_set *set)
625 struct nft_rbtree *priv = nft_set_priv(set);
626 struct nft_rbtree_elem *rbe, *rbe_end = NULL;
627 struct nftables_pernet *nft_net;
628 struct rb_node *node, *next;
629 struct nft_trans_gc *gc;
632 set = nft_set_container_of(priv);
633 net = read_pnet(&set->net);
634 nft_net = nft_pernet(net);
636 gc = nft_trans_gc_alloc(set, 0, GFP_KERNEL);
640 for (node = rb_first(&priv->root); node ; node = next) {
641 next = rb_next(node);
643 rbe = rb_entry(node, struct nft_rbtree_elem, node);
645 /* elements are reversed in the rbtree for historical reasons,
646 * from highest to lowest value, that is why end element is
647 * always visited before the start element.
649 if (nft_rbtree_interval_end(rbe)) {
653 if (!nft_set_elem_expired(&rbe->ext))
656 gc = nft_trans_gc_queue_sync(gc, GFP_KERNEL);
660 /* end element needs to be removed first, it has
661 * no timeout extension.
664 nft_rbtree_gc_remove(net, set, priv, rbe_end);
665 nft_trans_gc_elem_add(gc, rbe_end);
669 gc = nft_trans_gc_queue_sync(gc, GFP_KERNEL);
673 nft_rbtree_gc_remove(net, set, priv, rbe);
674 nft_trans_gc_elem_add(gc, rbe);
680 gc = nft_trans_gc_catchall_sync(gc);
681 nft_trans_gc_queue_sync_done(gc);
682 priv->last_gc = jiffies;
686 static u64 nft_rbtree_privsize(const struct nlattr * const nla[],
687 const struct nft_set_desc *desc)
689 return sizeof(struct nft_rbtree);
692 static int nft_rbtree_init(const struct nft_set *set,
693 const struct nft_set_desc *desc,
694 const struct nlattr * const nla[])
696 struct nft_rbtree *priv = nft_set_priv(set);
698 BUILD_BUG_ON(offsetof(struct nft_rbtree_elem, priv) != 0);
700 rwlock_init(&priv->lock);
701 seqcount_rwlock_init(&priv->count, &priv->lock);
702 priv->root = RB_ROOT;
707 static void nft_rbtree_destroy(const struct nft_ctx *ctx,
708 const struct nft_set *set)
710 struct nft_rbtree *priv = nft_set_priv(set);
711 struct nft_rbtree_elem *rbe;
712 struct rb_node *node;
714 while ((node = priv->root.rb_node) != NULL) {
715 rb_erase(node, &priv->root);
716 rbe = rb_entry(node, struct nft_rbtree_elem, node);
717 nf_tables_set_elem_destroy(ctx, set, &rbe->priv);
721 static bool nft_rbtree_estimate(const struct nft_set_desc *desc, u32 features,
722 struct nft_set_estimate *est)
724 if (desc->field_count > 1)
728 est->size = sizeof(struct nft_rbtree) +
729 desc->size * sizeof(struct nft_rbtree_elem);
733 est->lookup = NFT_SET_CLASS_O_LOG_N;
734 est->space = NFT_SET_CLASS_O_N;
739 static void nft_rbtree_commit(struct nft_set *set)
741 struct nft_rbtree *priv = nft_set_priv(set);
743 if (time_after_eq(jiffies, priv->last_gc + nft_set_gc_interval(set)))
747 static void nft_rbtree_gc_init(const struct nft_set *set)
749 struct nft_rbtree *priv = nft_set_priv(set);
751 priv->last_gc = jiffies;
754 const struct nft_set_type nft_set_rbtree_type = {
755 .features = NFT_SET_INTERVAL | NFT_SET_MAP | NFT_SET_OBJECT | NFT_SET_TIMEOUT,
757 .privsize = nft_rbtree_privsize,
758 .elemsize = offsetof(struct nft_rbtree_elem, ext),
759 .estimate = nft_rbtree_estimate,
760 .init = nft_rbtree_init,
761 .destroy = nft_rbtree_destroy,
762 .insert = nft_rbtree_insert,
763 .remove = nft_rbtree_remove,
764 .deactivate = nft_rbtree_deactivate,
765 .flush = nft_rbtree_flush,
766 .activate = nft_rbtree_activate,
767 .commit = nft_rbtree_commit,
768 .gc_init = nft_rbtree_gc_init,
769 .lookup = nft_rbtree_lookup,
770 .walk = nft_rbtree_walk,
771 .get = nft_rbtree_get,
projects / linux-2.6-microblaze.git / blob