Re: [PATCH v5 6/8] netfilter: Remove the now superfluous sentinel elements from ctl_table array

From: Julian Anastasov
Date: Fri Apr 26 2024 - 08:10:59 EST

Next message: Puranjay Mohan: "[PATCH bpf-next v3 0/2] bpf, arm64: Support per-cpu instruction"
Previous message: syzbot: "[syzbot] [bluetooth?] WARNING in hci_recv_frame"
In reply to: Joel Granados via B4 Relay: "[PATCH v5 6/8] netfilter: Remove the now superfluous sentinel elements from ctl_table array"
Next in thread: Joel Granados: "Re: [PATCH v5 6/8] netfilter: Remove the now superfluous sentinel elements from ctl_table array"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

On Fri, 26 Apr 2024, Joel Granados via B4 Relay wrote:

> From: Joel Granados <j.granados@xxxxxxxxxxx>
>
> This commit comes at the tail end of a greater effort to remove the
> empty elements at the end of the ctl_table arrays (sentinels) which will
> reduce the overall build time size of the kernel and run time memory
> bloat by ~64 bytes per sentinel (further information Link :
> https://lore.kernel.org/all/ZO5Yx5JFogGi%2FcBo@xxxxxxxxxxxxxxxxxxxxxx/)
>
> * Remove sentinel elements from ctl_table structs
> * Remove instances where an array element is zeroed out to make it look
> like a sentinel. This is not longer needed and is safe after commit
> c899710fe7f9 ("networking: Update to register_net_sysctl_sz") added
> the array size to the ctl_table registration
> * Remove the need for having __NF_SYSCTL_CT_LAST_SYSCTL as the
> sysctl array size is now in NF_SYSCTL_CT_LAST_SYSCTL
> * Remove extra element in ctl_table arrays declarations
>
> Acked-by: Kees Cook <keescook@xxxxxxxxxxxx> # loadpin & yama
> Signed-off-by: Joel Granados <j.granados@xxxxxxxxxxx>
> ---
> net/bridge/br_netfilter_hooks.c | 1 -
> net/ipv6/netfilter/nf_conntrack_reasm.c | 1 -
> net/netfilter/ipvs/ip_vs_ctl.c | 5 +----
> net/netfilter/ipvs/ip_vs_lblc.c | 5 +----
> net/netfilter/ipvs/ip_vs_lblcr.c | 5 +----
> net/netfilter/nf_conntrack_standalone.c | 6 +-----
> net/netfilter/nf_log.c | 3 +--
> 7 files changed, 5 insertions(+), 21 deletions(-)

..

> diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
> index 143a341bbc0a..50b5dbe40eb8 100644
> --- a/net/netfilter/ipvs/ip_vs_ctl.c
> +++ b/net/netfilter/ipvs/ip_vs_ctl.c

..

> @@ -4286,10 +4285,8 @@ static int __net_init ip_vs_control_net_init_sysctl(struct netns_ipvs *ipvs)
> return -ENOMEM;
>
> /* Don't export sysctls to unprivileged users */
> - if (net->user_ns != &init_user_ns) {
> - tbl[0].procname = NULL;
> + if (net->user_ns != &init_user_ns)
> ctl_table_size = 0;
> - }
> } else
> tbl = vs_vars;
> /* Initialize sysctl defaults */

We are in process of changing this code (not in trees yet):

https://marc.info/?t=171345219600002&r=1&w=2

As I'm not sure which patch will win, the end result should
be this single if-block/hunk to be removed.

Regards

--
Julian Anastasov <ja@xxxxxx>

Next message: Puranjay Mohan: "[PATCH bpf-next v3 0/2] bpf, arm64: Support per-cpu instruction"
Previous message: syzbot: "[syzbot] [bluetooth?] WARNING in hci_recv_frame"
In reply to: Joel Granados via B4 Relay: "[PATCH v5 6/8] netfilter: Remove the now superfluous sentinel elements from ctl_table array"
Next in thread: Joel Granados: "Re: [PATCH v5 6/8] netfilter: Remove the now superfluous sentinel elements from ctl_table array"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]