[Devel] [PATCH RHEL7 COMMIT] ub/netfilter: account x_tables to ub

Fri May 29 06:01:35 PDT 2015

The commit is pushed to "branch-rh7-3.10.0-123.1.2-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-123.1.2.vz7.5.7
------>
commit b103b8fdcd475a79e13c3e8f5325c92da90fd401
Author: Vladimir Davydov <vdavydov at parallels.com>
Date:   Fri May 29 17:01:34 2015 +0400

    ub/netfilter: account x_tables to ub
    
    This patch ports the code accounting netfilter/x_tables to ub
    (UB_NUMXTENT) from RH6.
    
    Related to https://jira.sw.ru/browse/PSBM-20089
    
    Signed-off-by: Vladimir Davydov <vdavydov at parallels.com>
---
 include/linux/netfilter/x_tables.h |  4 ++++
 net/netfilter/x_tables.c           | 48 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 52 insertions(+)

diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 43c5f8d..22ee9b9 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -215,6 +215,10 @@ struct xt_table_info {
 	unsigned int hook_entry[NF_INET_NUMHOOKS];
 	unsigned int underflow[NF_INET_NUMHOOKS];
 
+#ifdef CONFIG_BEANCOUNTERS
+	struct user_beancounter *ub;
+#endif
+
 	/*
 	 * Number of user chains. Since tables cannot have loops, at most
 	 * @stacksize jumps (number of user chains) can possibly be made.
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 919976f..3fa4086 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -67,6 +67,43 @@ static const char *const xt_prefix[NFPROTO_NUMPROTO] = {
 	[NFPROTO_IPV6]   = "ip6",
 };
 
+#ifdef CONFIG_BEANCOUNTERS
+static void uncharge_xtables(struct xt_table_info *info, unsigned long size)
+{
+	uncharge_beancounter(info->ub, UB_NUMXTENT, size);
+}
+
+static int recharge_xtables(struct xt_table_info *new, struct xt_table_info *old)
+{
+	struct user_beancounter *ub, *old_ub;
+	long change;
+
+	ub = new->ub;
+	old_ub = old->number ? old->ub : ub;
+	change = (long)new->number - (long)old->number;
+	if (old_ub != ub) {
+		printk(KERN_WARNING "iptables resources are charged"
+				" from different UB (%s -> %s)\n",
+				old_ub->ub_name, ub->ub_name);
+		change = new->number;
+	}
+
+	if (change > 0) {
+		if (charge_beancounter(ub, UB_NUMXTENT, change, UB_SOFT))
+			return -ENOMEM;
+	} else if (change < 0)
+		uncharge_beancounter(ub, UB_NUMXTENT, -change);
+
+	if (old_ub != ub)
+		uncharge_beancounter(old_ub, UB_NUMXTENT, old->number);
+
+	return 0;
+}
+#else
+#define recharge_xtables(c, new, old)	(0)
+#define uncharge_xtables(info, s)	do { } while (0)
+#endif	/* CONFIG_BEANCOUNTERS */
+
 /* Allow this many total (re)entries. */
 static const unsigned int xt_jumpstack_multiplier = 2;
 
@@ -732,6 +769,8 @@ struct xt_table_info *xt_alloc_table_info(unsigned int size)
 		}
 	}
 
+	newinfo->ub = get_beancounter(get_exec_ub());
+
 	return newinfo;
 }
 EXPORT_SYMBOL(xt_alloc_table_info);
@@ -764,6 +803,8 @@ void xt_free_table_info(struct xt_table_info *info)
 
 	free_percpu(info->stackptr);
 
+	put_beancounter(info->ub);
+
 	kfree(info);
 }
 EXPORT_SYMBOL(xt_free_table_info);
@@ -874,6 +915,12 @@ xt_replace_table(struct xt_table *table,
 		return NULL;
 	}
 
+	if (recharge_xtables(newinfo, private)) {
+		local_bh_enable();
+		*error = -ENOMEM;
+		return NULL;
+	}
+
 	newinfo->initial_entries = private->initial_entries;
 	/*
 	 * Ensure contents of newinfo are visible before assigning to
@@ -971,6 +1018,7 @@ void *xt_unregister_table(struct xt_table *table)
 	list_del(&table->list);
 	mutex_unlock(&xt[table->af].mutex);
 	kfree(table);
+	uncharge_xtables(private, private->number);
 
 	return private;
 }

