memcg: enable accounting for nft objects
nftables replaces iptables, but it lacks memcg accounting. This patch account most of the memory allocation associated with nft and should protect the host from misusing nft inside a memcg restricted container. Signed-off-by: Vasily Averin <vvs@openvz.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
Родитель
f2dd495a8d
Коммит
33758c8914
|
@ -58,7 +58,7 @@ static struct nf_hook_entries *allocate_hook_entries_size(u16 num)
|
||||||
if (num == 0)
|
if (num == 0)
|
||||||
return NULL;
|
return NULL;
|
||||||
|
|
||||||
e = kvzalloc(alloc, GFP_KERNEL);
|
e = kvzalloc(alloc, GFP_KERNEL_ACCOUNT);
|
||||||
if (e)
|
if (e)
|
||||||
e->num_hook_entries = num;
|
e->num_hook_entries = num;
|
||||||
return e;
|
return e;
|
||||||
|
|
|
@ -1113,16 +1113,16 @@ static int nf_tables_newtable(struct sk_buff *skb, const struct nfnl_info *info,
|
||||||
}
|
}
|
||||||
|
|
||||||
err = -ENOMEM;
|
err = -ENOMEM;
|
||||||
table = kzalloc(sizeof(*table), GFP_KERNEL);
|
table = kzalloc(sizeof(*table), GFP_KERNEL_ACCOUNT);
|
||||||
if (table == NULL)
|
if (table == NULL)
|
||||||
goto err_kzalloc;
|
goto err_kzalloc;
|
||||||
|
|
||||||
table->name = nla_strdup(attr, GFP_KERNEL);
|
table->name = nla_strdup(attr, GFP_KERNEL_ACCOUNT);
|
||||||
if (table->name == NULL)
|
if (table->name == NULL)
|
||||||
goto err_strdup;
|
goto err_strdup;
|
||||||
|
|
||||||
if (nla[NFTA_TABLE_USERDATA]) {
|
if (nla[NFTA_TABLE_USERDATA]) {
|
||||||
table->udata = nla_memdup(nla[NFTA_TABLE_USERDATA], GFP_KERNEL);
|
table->udata = nla_memdup(nla[NFTA_TABLE_USERDATA], GFP_KERNEL_ACCOUNT);
|
||||||
if (table->udata == NULL)
|
if (table->udata == NULL)
|
||||||
goto err_table_udata;
|
goto err_table_udata;
|
||||||
|
|
||||||
|
@ -1803,7 +1803,7 @@ static struct nft_hook *nft_netdev_hook_alloc(struct net *net,
|
||||||
struct nft_hook *hook;
|
struct nft_hook *hook;
|
||||||
int err;
|
int err;
|
||||||
|
|
||||||
hook = kmalloc(sizeof(struct nft_hook), GFP_KERNEL);
|
hook = kmalloc(sizeof(struct nft_hook), GFP_KERNEL_ACCOUNT);
|
||||||
if (!hook) {
|
if (!hook) {
|
||||||
err = -ENOMEM;
|
err = -ENOMEM;
|
||||||
goto err_hook_alloc;
|
goto err_hook_alloc;
|
||||||
|
@ -2026,7 +2026,7 @@ static struct nft_rule_blob *nf_tables_chain_alloc_rules(unsigned int size)
|
||||||
if (size > INT_MAX)
|
if (size > INT_MAX)
|
||||||
return NULL;
|
return NULL;
|
||||||
|
|
||||||
blob = kvmalloc(size, GFP_KERNEL);
|
blob = kvmalloc(size, GFP_KERNEL_ACCOUNT);
|
||||||
if (!blob)
|
if (!blob)
|
||||||
return NULL;
|
return NULL;
|
||||||
|
|
||||||
|
@ -2126,7 +2126,7 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
|
||||||
if (err < 0)
|
if (err < 0)
|
||||||
return err;
|
return err;
|
||||||
|
|
||||||
basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
|
basechain = kzalloc(sizeof(*basechain), GFP_KERNEL_ACCOUNT);
|
||||||
if (basechain == NULL) {
|
if (basechain == NULL) {
|
||||||
nft_chain_release_hook(&hook);
|
nft_chain_release_hook(&hook);
|
||||||
return -ENOMEM;
|
return -ENOMEM;
|
||||||
|
@ -2156,7 +2156,7 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
|
||||||
if (flags & NFT_CHAIN_HW_OFFLOAD)
|
if (flags & NFT_CHAIN_HW_OFFLOAD)
|
||||||
return -EOPNOTSUPP;
|
return -EOPNOTSUPP;
|
||||||
|
|
||||||
chain = kzalloc(sizeof(*chain), GFP_KERNEL);
|
chain = kzalloc(sizeof(*chain), GFP_KERNEL_ACCOUNT);
|
||||||
if (chain == NULL)
|
if (chain == NULL)
|
||||||
return -ENOMEM;
|
return -ENOMEM;
|
||||||
|
|
||||||
|
@ -2169,7 +2169,7 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
|
||||||
chain->table = table;
|
chain->table = table;
|
||||||
|
|
||||||
if (nla[NFTA_CHAIN_NAME]) {
|
if (nla[NFTA_CHAIN_NAME]) {
|
||||||
chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
|
chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL_ACCOUNT);
|
||||||
} else {
|
} else {
|
||||||
if (!(flags & NFT_CHAIN_BINDING)) {
|
if (!(flags & NFT_CHAIN_BINDING)) {
|
||||||
err = -EINVAL;
|
err = -EINVAL;
|
||||||
|
@ -2177,7 +2177,7 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
|
||||||
}
|
}
|
||||||
|
|
||||||
snprintf(name, sizeof(name), "__chain%llu", ++chain_id);
|
snprintf(name, sizeof(name), "__chain%llu", ++chain_id);
|
||||||
chain->name = kstrdup(name, GFP_KERNEL);
|
chain->name = kstrdup(name, GFP_KERNEL_ACCOUNT);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!chain->name) {
|
if (!chain->name) {
|
||||||
|
@ -2186,7 +2186,7 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
|
||||||
}
|
}
|
||||||
|
|
||||||
if (nla[NFTA_CHAIN_USERDATA]) {
|
if (nla[NFTA_CHAIN_USERDATA]) {
|
||||||
chain->udata = nla_memdup(nla[NFTA_CHAIN_USERDATA], GFP_KERNEL);
|
chain->udata = nla_memdup(nla[NFTA_CHAIN_USERDATA], GFP_KERNEL_ACCOUNT);
|
||||||
if (chain->udata == NULL) {
|
if (chain->udata == NULL) {
|
||||||
err = -ENOMEM;
|
err = -ENOMEM;
|
||||||
goto err_destroy_chain;
|
goto err_destroy_chain;
|
||||||
|
@ -2349,7 +2349,7 @@ static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
|
||||||
char *name;
|
char *name;
|
||||||
|
|
||||||
err = -ENOMEM;
|
err = -ENOMEM;
|
||||||
name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
|
name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL_ACCOUNT);
|
||||||
if (!name)
|
if (!name)
|
||||||
goto err;
|
goto err;
|
||||||
|
|
||||||
|
@ -2797,7 +2797,7 @@ static struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
|
||||||
goto err1;
|
goto err1;
|
||||||
|
|
||||||
err = -ENOMEM;
|
err = -ENOMEM;
|
||||||
expr = kzalloc(expr_info.ops->size, GFP_KERNEL);
|
expr = kzalloc(expr_info.ops->size, GFP_KERNEL_ACCOUNT);
|
||||||
if (expr == NULL)
|
if (expr == NULL)
|
||||||
goto err2;
|
goto err2;
|
||||||
|
|
||||||
|
@ -3405,7 +3405,7 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info,
|
||||||
}
|
}
|
||||||
|
|
||||||
err = -ENOMEM;
|
err = -ENOMEM;
|
||||||
rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
|
rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL_ACCOUNT);
|
||||||
if (rule == NULL)
|
if (rule == NULL)
|
||||||
goto err_release_expr;
|
goto err_release_expr;
|
||||||
|
|
||||||
|
@ -3818,7 +3818,7 @@ cont:
|
||||||
free_page((unsigned long)inuse);
|
free_page((unsigned long)inuse);
|
||||||
}
|
}
|
||||||
|
|
||||||
set->name = kasprintf(GFP_KERNEL, name, min + n);
|
set->name = kasprintf(GFP_KERNEL_ACCOUNT, name, min + n);
|
||||||
if (!set->name)
|
if (!set->name)
|
||||||
return -ENOMEM;
|
return -ENOMEM;
|
||||||
|
|
||||||
|
@ -4382,11 +4382,11 @@ static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
|
||||||
alloc_size = sizeof(*set) + size + udlen;
|
alloc_size = sizeof(*set) + size + udlen;
|
||||||
if (alloc_size < size || alloc_size > INT_MAX)
|
if (alloc_size < size || alloc_size > INT_MAX)
|
||||||
return -ENOMEM;
|
return -ENOMEM;
|
||||||
set = kvzalloc(alloc_size, GFP_KERNEL);
|
set = kvzalloc(alloc_size, GFP_KERNEL_ACCOUNT);
|
||||||
if (!set)
|
if (!set)
|
||||||
return -ENOMEM;
|
return -ENOMEM;
|
||||||
|
|
||||||
name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);
|
name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL_ACCOUNT);
|
||||||
if (!name) {
|
if (!name) {
|
||||||
err = -ENOMEM;
|
err = -ENOMEM;
|
||||||
goto err_set_name;
|
goto err_set_name;
|
||||||
|
@ -5921,7 +5921,7 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
|
||||||
err = -ENOMEM;
|
err = -ENOMEM;
|
||||||
elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
|
elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
|
||||||
elem.key_end.val.data, elem.data.val.data,
|
elem.key_end.val.data, elem.data.val.data,
|
||||||
timeout, expiration, GFP_KERNEL);
|
timeout, expiration, GFP_KERNEL_ACCOUNT);
|
||||||
if (elem.priv == NULL)
|
if (elem.priv == NULL)
|
||||||
goto err_parse_data;
|
goto err_parse_data;
|
||||||
|
|
||||||
|
@ -6165,7 +6165,7 @@ static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
|
||||||
err = -ENOMEM;
|
err = -ENOMEM;
|
||||||
elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
|
elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
|
||||||
elem.key_end.val.data, NULL, 0, 0,
|
elem.key_end.val.data, NULL, 0, 0,
|
||||||
GFP_KERNEL);
|
GFP_KERNEL_ACCOUNT);
|
||||||
if (elem.priv == NULL)
|
if (elem.priv == NULL)
|
||||||
goto fail_elem;
|
goto fail_elem;
|
||||||
|
|
||||||
|
@ -6477,7 +6477,7 @@ static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
|
||||||
}
|
}
|
||||||
|
|
||||||
err = -ENOMEM;
|
err = -ENOMEM;
|
||||||
obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL);
|
obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL_ACCOUNT);
|
||||||
if (!obj)
|
if (!obj)
|
||||||
goto err2;
|
goto err2;
|
||||||
|
|
||||||
|
@ -6643,7 +6643,7 @@ static int nf_tables_newobj(struct sk_buff *skb, const struct nfnl_info *info,
|
||||||
obj->key.table = table;
|
obj->key.table = table;
|
||||||
obj->handle = nf_tables_alloc_handle(table);
|
obj->handle = nf_tables_alloc_handle(table);
|
||||||
|
|
||||||
obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
|
obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL_ACCOUNT);
|
||||||
if (!obj->key.name) {
|
if (!obj->key.name) {
|
||||||
err = -ENOMEM;
|
err = -ENOMEM;
|
||||||
goto err_strdup;
|
goto err_strdup;
|
||||||
|
@ -7404,7 +7404,7 @@ static int nf_tables_newflowtable(struct sk_buff *skb,
|
||||||
|
|
||||||
nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
|
nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
|
||||||
|
|
||||||
flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL);
|
flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL_ACCOUNT);
|
||||||
if (!flowtable)
|
if (!flowtable)
|
||||||
return -ENOMEM;
|
return -ENOMEM;
|
||||||
|
|
||||||
|
@ -7412,7 +7412,7 @@ static int nf_tables_newflowtable(struct sk_buff *skb,
|
||||||
flowtable->handle = nf_tables_alloc_handle(table);
|
flowtable->handle = nf_tables_alloc_handle(table);
|
||||||
INIT_LIST_HEAD(&flowtable->hook_list);
|
INIT_LIST_HEAD(&flowtable->hook_list);
|
||||||
|
|
||||||
flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL);
|
flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL_ACCOUNT);
|
||||||
if (!flowtable->name) {
|
if (!flowtable->name) {
|
||||||
err = -ENOMEM;
|
err = -ENOMEM;
|
||||||
goto err1;
|
goto err1;
|
||||||
|
|
Загрузка…
Ссылка в новой задаче