From: Florian Westphal <fw@strlen.de>
To: Vasily Averin <vvs@virtuozzo.com>
Cc: Roman Gushchin <roman.gushchin@linux.dev>,
Linux MM <linux-mm@kvack.org>,
kernel@openvz.org, netfilter-devel@vger.kernel.org,
Pablo Neira Ayuso <pablo@netfilter.org>,
Florian Westphal <fw@strlen.de>,
Jozsef Kadlecsik <kadlec@netfilter.org>
Subject: Re: [PATCH RFC] memcg: Enable accounting for nft objects
Date: Mon, 28 Feb 2022 13:24:29 +0100 [thread overview]
Message-ID: <20220228122429.GC26547@breakpoint.cc> (raw)
In-Reply-To: <81d734aa-7a0f-81b4-34fb-516b17673eac@virtuozzo.com>
Vasily Averin <vvs@virtuozzo.com> wrote:
> nftables replaces iptables but still lacks memcg accounting.
>
> This patch account most part of nft-related allocation and should protect host from nft misuse
> inside memcg-limited container.
>
> Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
> ---
> net/netfilter/core.c | 2 +-
> net/netfilter/nf_tables_api.c | 51 +++++++++++++++++++----------------
> 2 files changed, 29 insertions(+), 24 deletions(-)
>
> diff --git a/net/netfilter/core.c b/net/netfilter/core.c
> index 354cb472f386..6a2b57774999 100644
> --- a/net/netfilter/core.c
> +++ b/net/netfilter/core.c
> @@ -58,7 +58,7 @@ static struct nf_hook_entries *allocate_hook_entries_size(u16 num)
> if (num == 0)
> return NULL;
> - e = kvzalloc(alloc, GFP_KERNEL);
> + e = kvzalloc(alloc, GFP_KERNEL_ACCOUNT);
makes sense to me.
> diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
> index 5fa16990da95..5e1987ec9715 100644
> --- a/net/netfilter/nf_tables_api.c
> +++ b/net/netfilter/nf_tables_api.c
> @@ -149,7 +149,7 @@ static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
> {
> struct nft_trans *trans;
> - trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
> + trans = kzalloc(sizeof(struct nft_trans) + size, gfp | __GFP_ACCOUNT);
trans_alloc is temporary in nature, they are always free'd by the
time syscall returns (else, bug).
> @@ -1084,6 +1084,7 @@ static int nf_tables_newtable(struct sk_buff *skb, const struct nfnl_info *info,
> struct nft_table *table;
> struct nft_ctx ctx;
> u32 flags = 0;
> + gfp_t gfp = GFP_KERNEL_ACCOUNT;
> int err;
> lockdep_assert_held(&nft_net->commit_mutex);
> @@ -1113,16 +1114,16 @@ static int nf_tables_newtable(struct sk_buff *skb, const struct nfnl_info *info,
> }
> err = -ENOMEM;
> - table = kzalloc(sizeof(*table), GFP_KERNEL);
> + table = kzalloc(sizeof(*table), gfp);
Why gfp temporary variable? Readability? The subsititution looks correct.
Rest looks good, you might need to update nft_limit_init() and a few
other stateful expressions that alloc internal data too.
prev parent reply other threads:[~2022-02-28 12:24 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-28 6:39 Vasily Averin
2022-02-28 12:24 ` Florian Westphal [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220228122429.GC26547@breakpoint.cc \
--to=fw@strlen.de \
--cc=kadlec@netfilter.org \
--cc=kernel@openvz.org \
--cc=linux-mm@kvack.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=roman.gushchin@linux.dev \
--cc=vvs@virtuozzo.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox