[Devel] [PATCH rh7] netfilter: account x_tables to ub

Thu May 28 09:11:58 PDT 2015

Andrey, please review.

--
Best regards,

Konstantin Khorenko,
Virtuozzo Linux Kernel Team

On 05/28/2015 05:43 PM, Vladimir Davydov wrote:
> This patch ports the code accounting netfilter/x_tables to ub
> (UB_NUMXTENT) from RH6.
> 
> Related to https://jira.sw.ru/browse/PSBM-20089
> 
> Signed-off-by: Vladimir Davydov <vdavydov at parallels.com>
> ---
>  include/linux/netfilter/x_tables.h |  4 ++++
>  net/netfilter/x_tables.c           | 48 ++++++++++++++++++++++++++++++++++++++
>  2 files changed, 52 insertions(+)
> 
> diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
> index 43c5f8d26880..22ee9b961ed9 100644
> --- a/include/linux/netfilter/x_tables.h
> +++ b/include/linux/netfilter/x_tables.h
> @@ -215,6 +215,10 @@ struct xt_table_info {
>  	unsigned int hook_entry[NF_INET_NUMHOOKS];
>  	unsigned int underflow[NF_INET_NUMHOOKS];
>  
> +#ifdef CONFIG_BEANCOUNTERS
> +	struct user_beancounter *ub;
> +#endif
> +
>  	/*
>  	 * Number of user chains. Since tables cannot have loops, at most
>  	 * @stacksize jumps (number of user chains) can possibly be made.
> diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
> index 919976f89644..3fa408656f17 100644
> --- a/net/netfilter/x_tables.c
> +++ b/net/netfilter/x_tables.c
> @@ -67,6 +67,43 @@ static const char *const xt_prefix[NFPROTO_NUMPROTO] = {
>  	[NFPROTO_IPV6]   = "ip6",
>  };
>  
> +#ifdef CONFIG_BEANCOUNTERS
> +static void uncharge_xtables(struct xt_table_info *info, unsigned long size)
> +{
> +	uncharge_beancounter(info->ub, UB_NUMXTENT, size);
> +}
> +
> +static int recharge_xtables(struct xt_table_info *new, struct xt_table_info *old)
> +{
> +	struct user_beancounter *ub, *old_ub;
> +	long change;
> +
> +	ub = new->ub;
> +	old_ub = old->number ? old->ub : ub;
> +	change = (long)new->number - (long)old->number;
> +	if (old_ub != ub) {
> +		printk(KERN_WARNING "iptables resources are charged"
> +				" from different UB (%s -> %s)\n",
> +				old_ub->ub_name, ub->ub_name);
> +		change = new->number;
> +	}
> +
> +	if (change > 0) {
> +		if (charge_beancounter(ub, UB_NUMXTENT, change, UB_SOFT))
> +			return -ENOMEM;
> +	} else if (change < 0)
> +		uncharge_beancounter(ub, UB_NUMXTENT, -change);
> +
> +	if (old_ub != ub)
> +		uncharge_beancounter(old_ub, UB_NUMXTENT, old->number);
> +
> +	return 0;
> +}
> +#else
> +#define recharge_xtables(c, new, old)	(0)
> +#define uncharge_xtables(info, s)	do { } while (0)
> +#endif	/* CONFIG_BEANCOUNTERS */
> +
>  /* Allow this many total (re)entries. */
>  static const unsigned int xt_jumpstack_multiplier = 2;
>  
> @@ -732,6 +769,8 @@ struct xt_table_info *xt_alloc_table_info(unsigned int size)
>  		}
>  	}
>  
> +	newinfo->ub = get_beancounter(get_exec_ub());
> +
>  	return newinfo;
>  }
>  EXPORT_SYMBOL(xt_alloc_table_info);
> @@ -764,6 +803,8 @@ void xt_free_table_info(struct xt_table_info *info)
>  
>  	free_percpu(info->stackptr);
>  
> +	put_beancounter(info->ub);
> +
>  	kfree(info);
>  }
>  EXPORT_SYMBOL(xt_free_table_info);
> @@ -874,6 +915,12 @@ xt_replace_table(struct xt_table *table,
>  		return NULL;
>  	}
>  
> +	if (recharge_xtables(newinfo, private)) {
> +		local_bh_enable();
> +		*error = -ENOMEM;
> +		return NULL;
> +	}
> +
>  	newinfo->initial_entries = private->initial_entries;
>  	/*
>  	 * Ensure contents of newinfo are visible before assigning to
> @@ -971,6 +1018,7 @@ void *xt_unregister_table(struct xt_table *table)
>  	list_del(&table->list);
>  	mutex_unlock(&xt[table->af].mutex);
>  	kfree(table);
> +	uncharge_xtables(private, private->number);
>  
>  	return private;
>  }
> 