netfilter: nft_set_rbtree: Switch to node list walk for overlap detection

author Pablo Neira Ayuso <pablo@netfilter.org>

Sat, 14 Jan 2023 22:38:32 +0000 (23:38 +0100)

committer Pablo Neira Ayuso <pablo@netfilter.org>

Mon, 23 Jan 2023 20:36:38 +0000 (21:36 +0100)
author Pablo Neira Ayuso <pablo@netfilter.org>
Sat, 14 Jan 2023 22:38:32 +0000 (23:38 +0100)
committer Pablo Neira Ayuso <pablo@netfilter.org>
Mon, 23 Jan 2023 20:36:38 +0000 (21:36 +0100)
diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c

index 7325bee..217225e 100644 (file)
--- a/net/netfilter/nft_set_rbtree.c
+++ b/net/netfilter/nft_set_rbtree.c
@@ -38,10 +38,12 @@ static bool nft_rbtree_interval_start(const struct nft_rbtree_elem *rbe)
         return !nft_rbtree_interval_end(rbe);
  }
  
         return !nft_rbtree_interval_end(rbe);
  }
  
-static bool nft_rbtree_equal(const struct nft_set *set, const void *this,
-                            const struct nft_rbtree_elem *interval)
+static int nft_rbtree_cmp(const struct nft_set *set,
+                         const struct nft_rbtree_elem *e1,
+                         const struct nft_rbtree_elem *e2)
  {
  {
-       return memcmp(this, nft_set_ext_key(&interval->ext), set->klen) == 0;
+       return memcmp(nft_set_ext_key(&e1->ext), nft_set_ext_key(&e2->ext),
+                     set->klen);
  }
  
  static bool __nft_rbtree_lookup(const struct net *net, const struct nft_set *set,
  }
  
  static bool __nft_rbtree_lookup(const struct net *net, const struct nft_set *set,
@@ -52,7 +54,6 @@ static bool __nft_rbtree_lookup(const struct net *net, const struct nft_set *set
         const struct nft_rbtree_elem *rbe, *interval = NULL;
         u8 genmask = nft_genmask_cur(net);
         const struct rb_node *parent;
         const struct nft_rbtree_elem *rbe, *interval = NULL;
         u8 genmask = nft_genmask_cur(net);
         const struct rb_node *parent;
-       const void *this;
         int d;
  
         parent = rcu_dereference_raw(priv->root.rb_node);
         int d;
  
         parent = rcu_dereference_raw(priv->root.rb_node);
@@ -62,12 +63,11 @@ static bool __nft_rbtree_lookup(const struct net *net, const struct nft_set *set
  
                 rbe = rb_entry(parent, struct nft_rbtree_elem, node);
  
  
                 rbe = rb_entry(parent, struct nft_rbtree_elem, node);
  
-               this = nft_set_ext_key(&rbe->ext);
-               d = memcmp(this, key, set->klen);
+               d = memcmp(nft_set_ext_key(&rbe->ext), key, set->klen);
                 if (d < 0) {
                         parent = rcu_dereference_raw(parent->rb_left);
                         if (interval &&
                 if (d < 0) {
                         parent = rcu_dereference_raw(parent->rb_left);
                         if (interval &&
-                           nft_rbtree_equal(set, this, interval) &&
+                           !nft_rbtree_cmp(set, rbe, interval) &&
                             nft_rbtree_interval_end(rbe) &&
                             nft_rbtree_interval_start(interval))
                                 continue;
                             nft_rbtree_interval_end(rbe) &&
                             nft_rbtree_interval_start(interval))
                                 continue;
@@ -215,154 +215,216 @@ static void *nft_rbtree_get(const struct net *net, const struct nft_set *set,
         return rbe;
  }
  
         return rbe;
  }
  
+static int nft_rbtree_gc_elem(const struct nft_set *__set,
+                             struct nft_rbtree *priv,
+                             struct nft_rbtree_elem *rbe)
+{
+       struct nft_set *set = (struct nft_set *)__set;
+       struct rb_node *prev = rb_prev(&rbe->node);
+       struct nft_rbtree_elem *rbe_prev;
+       struct nft_set_gc_batch *gcb;
+
+       gcb = nft_set_gc_batch_check(set, NULL, GFP_ATOMIC);
+       if (!gcb)
+               return -ENOMEM;
+
+       /* search for expired end interval coming before this element. */
+       do {
+               rbe_prev = rb_entry(prev, struct nft_rbtree_elem, node);
+               if (nft_rbtree_interval_end(rbe_prev))
+                       break;
+
+               prev = rb_prev(prev);
+       } while (prev != NULL);
+
+       rb_erase(&rbe_prev->node, &priv->root);
+       rb_erase(&rbe->node, &priv->root);
+       atomic_sub(2, &set->nelems);
+
+       nft_set_gc_batch_add(gcb, rbe);
+       nft_set_gc_batch_complete(gcb);
+
+       return 0;
+}
+
+static bool nft_rbtree_update_first(const struct nft_set *set,
+                                   struct nft_rbtree_elem *rbe,
+                                   struct rb_node *first)
+{
+       struct nft_rbtree_elem *first_elem;
+
+       first_elem = rb_entry(first, struct nft_rbtree_elem, node);
+       /* this element is closest to where the new element is to be inserted:
+        * update the first element for the node list path.
+        */
+       if (nft_rbtree_cmp(set, rbe, first_elem) < 0)
+               return true;
+
+       return false;
+}
+
  static int __nft_rbtree_insert(const struct net *net, const struct nft_set *set,
                                struct nft_rbtree_elem *new,
                                struct nft_set_ext **ext)
  {
  static int __nft_rbtree_insert(const struct net *net, const struct nft_set *set,
                                struct nft_rbtree_elem *new,
                                struct nft_set_ext **ext)
  {
-       bool overlap = false, dup_end_left = false, dup_end_right = false;
+       struct nft_rbtree_elem *rbe, *rbe_le = NULL, *rbe_ge = NULL;
+       struct rb_node *node, *parent, **p, *first = NULL;
         struct nft_rbtree *priv = nft_set_priv(set);
         u8 genmask = nft_genmask_next(net);
         struct nft_rbtree *priv = nft_set_priv(set);
         u8 genmask = nft_genmask_next(net);
-       struct nft_rbtree_elem *rbe;
-       struct rb_node *parent, **p;
-       int d;
+       int d, err;
  
  
-       /* Detect overlaps as we descend the tree. Set the flag in these cases:
-        *
-        * a1. _ _ __>|  ?_ _ __|  (insert end before existing end)
-        * a2. _ _ ___|  ?_ _ _>|  (insert end after existing end)
-        * a3. _ _ ___? >|_ _ __|  (insert start before existing end)
-        *
-        * and clear it later on, as we eventually reach the points indicated by
-        * '?' above, in the cases described below. We'll always meet these
-        * later, locally, due to tree ordering, and overlaps for the intervals
-        * that are the closest together are always evaluated last.
-        *
-        * b1. _ _ __>|  !_ _ __|  (insert end before existing start)
-        * b2. _ _ ___|  !_ _ _>|  (insert end after existing start)
-        * b3. _ _ ___! >|_ _ __|  (insert start after existing end, as a leaf)
-        *            '--' no nodes falling in this range
-        * b4.          >|_ _   !  (insert start before existing start)
-        *
-        * Case a3. resolves to b3.:
-        * - if the inserted start element is the leftmost, because the '0'
-        *   element in the tree serves as end element
-        * - otherwise, if an existing end is found immediately to the left. If
-        *   there are existing nodes in between, we need to further descend the
-        *   tree before we can conclude the new start isn't causing an overlap
-        *
-        * or to b4., which, preceded by a3., means we already traversed one or
-        * more existing intervals entirely, from the right.
-        *
-        * For a new, rightmost pair of elements, we'll hit cases b3. and b2.,
-        * in that order.
-        *
-        * The flag is also cleared in two special cases:
-        *
-        * b5. |__ _ _!|<_ _ _   (insert start right before existing end)
-        * b6. |__ _ >|!__ _ _   (insert end right after existing start)
-        *
-        * which always happen as last step and imply that no further
-        * overlapping is possible.
-        *
-        * Another special case comes from the fact that start elements matching
-        * an already existing start element are allowed: insertion is not
-        * performed but we return -EEXIST in that case, and the error will be
-        * cleared by the caller if NLM_F_EXCL is not present in the request.
-        * This way, request for insertion of an exact overlap isn't reported as
-        * error to userspace if not desired.
-        *
-        * However, if the existing start matches a pre-existing start, but the
-        * end element doesn't match the corresponding pre-existing end element,
-        * we need to report a partial overlap. This is a local condition that
-        * can be noticed without need for a tracking flag, by checking for a
-        * local duplicated end for a corresponding start, from left and right,
-        * separately.
+       /* Descend the tree to search for an existing element greater than the
+        * key value to insert that is greater than the new element. This is the
+        * first element to walk the ordered elements to find possible overlap.
          */
          */
-
         parent = NULL;
         p = &priv->root.rb_node;
         while (*p != NULL) {
                 parent = *p;
                 rbe = rb_entry(parent, struct nft_rbtree_elem, node);
         parent = NULL;
         p = &priv->root.rb_node;
         while (*p != NULL) {
                 parent = *p;
                 rbe = rb_entry(parent, struct nft_rbtree_elem, node);
-               d = memcmp(nft_set_ext_key(&rbe->ext),
-                          nft_set_ext_key(&new->ext),
-                          set->klen);
+               d = nft_rbtree_cmp(set, rbe, new);
+
                 if (d < 0) {
                         p = &parent->rb_left;
                 if (d < 0) {
                         p = &parent->rb_left;
-
-                       if (nft_rbtree_interval_start(new)) {
-                               if (nft_rbtree_interval_end(rbe) &&
-                                   nft_set_elem_active(&rbe->ext, genmask) &&
-                                   !nft_set_elem_expired(&rbe->ext) && !*p)
-                                       overlap = false;
-                       } else {
-                               if (dup_end_left && !*p)
-                                       return -ENOTEMPTY;
-
-                               overlap = nft_rbtree_interval_end(rbe) &&
-                                         nft_set_elem_active(&rbe->ext,
-                                                             genmask) &&
-                                         !nft_set_elem_expired(&rbe->ext);
-
-                               if (overlap) {
-                                       dup_end_right = true;
-                                       continue;
-                               }
-                       }
                 } else if (d > 0) {
                 } else if (d > 0) {
-                       p = &parent->rb_right;
+                       if (!first ||
+                           nft_rbtree_update_first(set, rbe, first))
+                               first = &rbe->node;
  
  
-                       if (nft_rbtree_interval_end(new)) {
-                               if (dup_end_right && !*p)
-                                       return -ENOTEMPTY;
-
-                               overlap = nft_rbtree_interval_end(rbe) &&
-                                         nft_set_elem_active(&rbe->ext,
-                                                             genmask) &&
-                                         !nft_set_elem_expired(&rbe->ext);
-
-                               if (overlap) {
-                                       dup_end_left = true;
-                                       continue;
-                               }
-                       } else if (nft_set_elem_active(&rbe->ext, genmask) &&
-                                  !nft_set_elem_expired(&rbe->ext)) {
-                               overlap = nft_rbtree_interval_end(rbe);
-                       }
+                       p = &parent->rb_right;
                 } else {
                 } else {
-                       if (nft_rbtree_interval_end(rbe) &&
-                           nft_rbtree_interval_start(new)) {
+                       if (nft_rbtree_interval_end(rbe))
                                 p = &parent->rb_left;
                                 p = &parent->rb_left;
-
-                               if (nft_set_elem_active(&rbe->ext, genmask) &&
-                                   !nft_set_elem_expired(&rbe->ext))
-                                       overlap = false;
-                       } else if (nft_rbtree_interval_start(rbe) &&
-                                  nft_rbtree_interval_end(new)) {
+                       else
                                 p = &parent->rb_right;
                                 p = &parent->rb_right;
+               }
+       }
+
+       if (!first)
+               first = rb_first(&priv->root);
+
+       /* Detect overlap by going through the list of valid tree nodes.
+        * Values stored in the tree are in reversed order, starting from
+        * highest to lowest value.
+        */
+       for (node = first; node != NULL; node = rb_next(node)) {
+               rbe = rb_entry(node, struct nft_rbtree_elem, node);
+
+               if (!nft_set_elem_active(&rbe->ext, genmask))
+                       continue;
  
  
-                               if (nft_set_elem_active(&rbe->ext, genmask) &&
-                                   !nft_set_elem_expired(&rbe->ext))
-                                       overlap = false;
-                       } else if (nft_set_elem_active(&rbe->ext, genmask) &&
-                                  !nft_set_elem_expired(&rbe->ext)) {
-                               *ext = &rbe->ext;
-                               return -EEXIST;
-                       } else {
-                               overlap = false;
-                               if (nft_rbtree_interval_end(rbe))
-                                       p = &parent->rb_left;
-                               else
-                                       p = &parent->rb_right;
+               /* perform garbage collection to avoid bogus overlap reports. */
+               if (nft_set_elem_expired(&rbe->ext)) {
+                       err = nft_rbtree_gc_elem(set, priv, rbe);
+                       if (err < 0)
+                               return err;
+
+                       continue;
+               }
+
+               d = nft_rbtree_cmp(set, rbe, new);
+               if (d == 0) {
+                       /* Matching end element: no need to look for an
+                        * overlapping greater or equal element.
+                        */
+                       if (nft_rbtree_interval_end(rbe)) {
+                               rbe_le = rbe;
+                               break;
+                       }
+
+                       /* first element that is greater or equal to key value. */
+                       if (!rbe_ge) {
+                               rbe_ge = rbe;
+                               continue;
+                       }
+
+                       /* this is a closer more or equal element, update it. */
+                       if (nft_rbtree_cmp(set, rbe_ge, new) != 0) {
+                               rbe_ge = rbe;
+                               continue;
                         }
                         }
+
+                       /* element is equal to key value, make sure flags are
+                        * the same, an existing more or equal start element
+                        * must not be replaced by more or equal end element.
+                        */
+                       if ((nft_rbtree_interval_start(new) &&
+                            nft_rbtree_interval_start(rbe_ge)) ||
+                           (nft_rbtree_interval_end(new) &&
+                            nft_rbtree_interval_end(rbe_ge))) {
+                               rbe_ge = rbe;
+                               continue;
+                       }
+               } else if (d > 0) {
+                       /* annotate element greater than the new element. */
+                       rbe_ge = rbe;
+                       continue;
+               } else if (d < 0) {
+                       /* annotate element less than the new element. */
+                       rbe_le = rbe;
+                       break;
                 }
                 }
+       }
  
  
-               dup_end_left = dup_end_right = false;
+       /* - new start element matching existing start element: full overlap
+        *   reported as -EEXIST, cleared by caller if NLM_F_EXCL is not given.
+        */
+       if (rbe_ge && !nft_rbtree_cmp(set, new, rbe_ge) &&
+           nft_rbtree_interval_start(rbe_ge) == nft_rbtree_interval_start(new)) {
+               *ext = &rbe_ge->ext;
+               return -EEXIST;
+       }
+
+       /* - new end element matching existing end element: full overlap
+        *   reported as -EEXIST, cleared by caller if NLM_F_EXCL is not given.
+        */
+       if (rbe_le && !nft_rbtree_cmp(set, new, rbe_le) &&
+           nft_rbtree_interval_end(rbe_le) == nft_rbtree_interval_end(new)) {
+               *ext = &rbe_le->ext;
+               return -EEXIST;
         }
  
         }
  
-       if (overlap)
+       /* - new start element with existing closest, less or equal key value
+        *   being a start element: partial overlap, reported as -ENOTEMPTY.
+        *   Anonymous sets allow for two consecutive start element since they
+        *   are constant, skip them to avoid bogus overlap reports.
+        */
+       if (!nft_set_is_anonymous(set) && rbe_le &&
+           nft_rbtree_interval_start(rbe_le) && nft_rbtree_interval_start(new))
+               return -ENOTEMPTY;
+
+       /* - new end element with existing closest, less or equal key value
+        *   being a end element: partial overlap, reported as -ENOTEMPTY.
+        */
+       if (rbe_le &&
+           nft_rbtree_interval_end(rbe_le) && nft_rbtree_interval_end(new))
                 return -ENOTEMPTY;
  
                 return -ENOTEMPTY;
  
+       /* - new end element with existing closest, greater or equal key value
+        *   being an end element: partial overlap, reported as -ENOTEMPTY
+        */
+       if (rbe_ge &&
+           nft_rbtree_interval_end(rbe_ge) && nft_rbtree_interval_end(new))
+               return -ENOTEMPTY;
+
+       /* Accepted element: pick insertion point depending on key value */
+       parent = NULL;
+       p = &priv->root.rb_node;
+       while (*p != NULL) {
+               parent = *p;
+               rbe = rb_entry(parent, struct nft_rbtree_elem, node);
+               d = nft_rbtree_cmp(set, rbe, new);
+
+               if (d < 0)
+                       p = &parent->rb_left;
+               else if (d > 0)
+                       p = &parent->rb_right;
+               else if (nft_rbtree_interval_end(rbe))
+                       p = &parent->rb_left;
+               else
+                       p = &parent->rb_right;
+       }
+
         rb_link_node_rcu(&new->node, parent, p);
         rb_insert_color(&new->node, &priv->root);
         return 0;
         rb_link_node_rcu(&new->node, parent, p);
         rb_insert_color(&new->node, &priv->root);
         return 0;
author	Pablo Neira Ayuso <pablo@netfilter.org>
	Sat, 14 Jan 2023 22:38:32 +0000 (23:38 +0100)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Mon, 23 Jan 2023 20:36:38 +0000 (21:36 +0100)