diff mbox series

[v5,6/8] netfilter: Remove the now superfluous sentinel elements from ctl_table array

Message ID 20240426-jag-sysctl_remset_net-v5-6-e3b12f6111a6@samsung.com (mailing list archive)
State Superseded, archived
Headers show
Series [v5,1/8] net: Remove the now superfluous sentinel elements from ctl_table array | expand

Commit Message

Joel Granados via B4 Relay April 26, 2024, 10:46 a.m. UTC
From: Joel Granados <j.granados@samsung.com>

This commit comes at the tail end of a greater effort to remove the
empty elements at the end of the ctl_table arrays (sentinels) which will
reduce the overall build time size of the kernel and run time memory
bloat by ~64 bytes per sentinel (further information Link :
https://lore.kernel.org/all/ZO5Yx5JFogGi%2FcBo@bombadil.infradead.org/)

* Remove sentinel elements from ctl_table structs
* Remove instances where an array element is zeroed out to make it look
  like a sentinel. This is not longer needed and is safe after commit
  c899710fe7f9 ("networking: Update to register_net_sysctl_sz") added
  the array size to the ctl_table registration
* Remove the need for having __NF_SYSCTL_CT_LAST_SYSCTL as the
  sysctl array size is now in NF_SYSCTL_CT_LAST_SYSCTL
* Remove extra element in ctl_table arrays declarations

Acked-by: Kees Cook <keescook@chromium.org> # loadpin & yama
Signed-off-by: Joel Granados <j.granados@samsung.com>
---
 net/bridge/br_netfilter_hooks.c         | 1 -
 net/ipv6/netfilter/nf_conntrack_reasm.c | 1 -
 net/netfilter/ipvs/ip_vs_ctl.c          | 5 +----
 net/netfilter/ipvs/ip_vs_lblc.c         | 5 +----
 net/netfilter/ipvs/ip_vs_lblcr.c        | 5 +----
 net/netfilter/nf_conntrack_standalone.c | 6 +-----
 net/netfilter/nf_log.c                  | 3 +--
 7 files changed, 5 insertions(+), 21 deletions(-)

Comments

Julian Anastasov April 26, 2024, 12:09 p.m. UTC | #1
Hello,

On Fri, 26 Apr 2024, Joel Granados via B4 Relay wrote:

> From: Joel Granados <j.granados@samsung.com>
> 
> This commit comes at the tail end of a greater effort to remove the
> empty elements at the end of the ctl_table arrays (sentinels) which will
> reduce the overall build time size of the kernel and run time memory
> bloat by ~64 bytes per sentinel (further information Link :
> https://lore.kernel.org/all/ZO5Yx5JFogGi%2FcBo@bombadil.infradead.org/)
> 
> * Remove sentinel elements from ctl_table structs
> * Remove instances where an array element is zeroed out to make it look
>   like a sentinel. This is not longer needed and is safe after commit
>   c899710fe7f9 ("networking: Update to register_net_sysctl_sz") added
>   the array size to the ctl_table registration
> * Remove the need for having __NF_SYSCTL_CT_LAST_SYSCTL as the
>   sysctl array size is now in NF_SYSCTL_CT_LAST_SYSCTL
> * Remove extra element in ctl_table arrays declarations
> 
> Acked-by: Kees Cook <keescook@chromium.org> # loadpin & yama
> Signed-off-by: Joel Granados <j.granados@samsung.com>
> ---
>  net/bridge/br_netfilter_hooks.c         | 1 -
>  net/ipv6/netfilter/nf_conntrack_reasm.c | 1 -
>  net/netfilter/ipvs/ip_vs_ctl.c          | 5 +----
>  net/netfilter/ipvs/ip_vs_lblc.c         | 5 +----
>  net/netfilter/ipvs/ip_vs_lblcr.c        | 5 +----
>  net/netfilter/nf_conntrack_standalone.c | 6 +-----
>  net/netfilter/nf_log.c                  | 3 +--
>  7 files changed, 5 insertions(+), 21 deletions(-)

...

> diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
> index 143a341bbc0a..50b5dbe40eb8 100644
> --- a/net/netfilter/ipvs/ip_vs_ctl.c
> +++ b/net/netfilter/ipvs/ip_vs_ctl.c

...

> @@ -4286,10 +4285,8 @@ static int __net_init ip_vs_control_net_init_sysctl(struct netns_ipvs *ipvs)
>  			return -ENOMEM;
>  
>  		/* Don't export sysctls to unprivileged users */
> -		if (net->user_ns != &init_user_ns) {
> -			tbl[0].procname = NULL;
> +		if (net->user_ns != &init_user_ns)
>  			ctl_table_size = 0;
> -		}
>  	} else
>  		tbl = vs_vars;
>  	/* Initialize sysctl defaults */

	We are in process of changing this code (not in trees yet):

https://marc.info/?t=171345219600002&r=1&w=2

	As I'm not sure which patch will win, the end result should
be this single if-block/hunk to be removed.

Regards

--
Julian Anastasov <ja@ssi.bg>
Joel Granados April 29, 2024, 9:32 a.m. UTC | #2
On Fri, Apr 26, 2024 at 03:09:45PM +0300, Julian Anastasov wrote:
> 
> 	Hello,
> 
> On Fri, 26 Apr 2024, Joel Granados via B4 Relay wrote:
> 
> > From: Joel Granados <j.granados@samsung.com>
> > 
> > This commit comes at the tail end of a greater effort to remove the
> > empty elements at the end of the ctl_table arrays (sentinels) which will
> > reduce the overall build time size of the kernel and run time memory
> > bloat by ~64 bytes per sentinel (further information Link :
> > https://lore.kernel.org/all/ZO5Yx5JFogGi%2FcBo@bombadil.infradead.org/)
> > 
> > * Remove sentinel elements from ctl_table structs
> > * Remove instances where an array element is zeroed out to make it look
> >   like a sentinel. This is not longer needed and is safe after commit
> >   c899710fe7f9 ("networking: Update to register_net_sysctl_sz") added
> >   the array size to the ctl_table registration
> > * Remove the need for having __NF_SYSCTL_CT_LAST_SYSCTL as the
> >   sysctl array size is now in NF_SYSCTL_CT_LAST_SYSCTL
> > * Remove extra element in ctl_table arrays declarations
> > 
> > Acked-by: Kees Cook <keescook@chromium.org> # loadpin & yama
> > Signed-off-by: Joel Granados <j.granados@samsung.com>
> > ---
> >  net/bridge/br_netfilter_hooks.c         | 1 -
> >  net/ipv6/netfilter/nf_conntrack_reasm.c | 1 -
> >  net/netfilter/ipvs/ip_vs_ctl.c          | 5 +----
> >  net/netfilter/ipvs/ip_vs_lblc.c         | 5 +----
> >  net/netfilter/ipvs/ip_vs_lblcr.c        | 5 +----
> >  net/netfilter/nf_conntrack_standalone.c | 6 +-----
> >  net/netfilter/nf_log.c                  | 3 +--
> >  7 files changed, 5 insertions(+), 21 deletions(-)
> 
> ...
> 
> > diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
> > index 143a341bbc0a..50b5dbe40eb8 100644
> > --- a/net/netfilter/ipvs/ip_vs_ctl.c
> > +++ b/net/netfilter/ipvs/ip_vs_ctl.c
> 
> ...
> 
> > @@ -4286,10 +4285,8 @@ static int __net_init ip_vs_control_net_init_sysctl(struct netns_ipvs *ipvs)
> >  			return -ENOMEM;
> >  
> >  		/* Don't export sysctls to unprivileged users */
> > -		if (net->user_ns != &init_user_ns) {
> > -			tbl[0].procname = NULL;
> > +		if (net->user_ns != &init_user_ns)
> >  			ctl_table_size = 0;
> > -		}
> >  	} else
> >  		tbl = vs_vars;
> >  	/* Initialize sysctl defaults */
> 
> 	We are in process of changing this code (not in trees yet):
> 
> https://marc.info/?t=171345219600002&r=1&w=2
> 
> 	As I'm not sure which patch will win, the end result should
> be this single if-block/hunk to be removed.
Thx for the heads up. I have made a note of it in case this set ends up
being after yours.


> 
> Regards
> 
> --
> Julian Anastasov <ja@ssi.bg>
>
diff mbox series

Patch

diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
index 35e10c5a766d..d31f57ffe985 100644
--- a/net/bridge/br_netfilter_hooks.c
+++ b/net/bridge/br_netfilter_hooks.c
@@ -1219,7 +1219,6 @@  static struct ctl_table brnf_table[] = {
 		.mode		= 0644,
 		.proc_handler	= brnf_sysctl_call_tables,
 	},
-	{ }
 };
 
 static inline void br_netfilter_sysctl_default(struct brnf_net *brnf)
diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
index 1a51a44571c3..8531750ec081 100644
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -62,7 +62,6 @@  static struct ctl_table nf_ct_frag6_sysctl_table[] = {
 		.mode		= 0644,
 		.proc_handler	= proc_doulongvec_minmax,
 	},
-	{ }
 };
 
 static int nf_ct_frag6_sysctl_register(struct net *net)
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 143a341bbc0a..50b5dbe40eb8 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -2263,7 +2263,6 @@  static struct ctl_table vs_vars[] = {
 		.proc_handler	= proc_dointvec,
 	},
 #endif
-	{ }
 };
 
 #endif
@@ -4286,10 +4285,8 @@  static int __net_init ip_vs_control_net_init_sysctl(struct netns_ipvs *ipvs)
 			return -ENOMEM;
 
 		/* Don't export sysctls to unprivileged users */
-		if (net->user_ns != &init_user_ns) {
-			tbl[0].procname = NULL;
+		if (net->user_ns != &init_user_ns)
 			ctl_table_size = 0;
-		}
 	} else
 		tbl = vs_vars;
 	/* Initialize sysctl defaults */
diff --git a/net/netfilter/ipvs/ip_vs_lblc.c b/net/netfilter/ipvs/ip_vs_lblc.c
index 8ceec7a2fa8f..2423513d701d 100644
--- a/net/netfilter/ipvs/ip_vs_lblc.c
+++ b/net/netfilter/ipvs/ip_vs_lblc.c
@@ -123,7 +123,6 @@  static struct ctl_table vs_vars_table[] = {
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec_jiffies,
 	},
-	{ }
 };
 #endif
 
@@ -563,10 +562,8 @@  static int __net_init __ip_vs_lblc_init(struct net *net)
 			return -ENOMEM;
 
 		/* Don't export sysctls to unprivileged users */
-		if (net->user_ns != &init_user_ns) {
-			ipvs->lblc_ctl_table[0].procname = NULL;
+		if (net->user_ns != &init_user_ns)
 			vars_table_size = 0;
-		}
 
 	} else
 		ipvs->lblc_ctl_table = vs_vars_table;
diff --git a/net/netfilter/ipvs/ip_vs_lblcr.c b/net/netfilter/ipvs/ip_vs_lblcr.c
index 0fb64707213f..cdb1d4bf6761 100644
--- a/net/netfilter/ipvs/ip_vs_lblcr.c
+++ b/net/netfilter/ipvs/ip_vs_lblcr.c
@@ -294,7 +294,6 @@  static struct ctl_table vs_vars_table[] = {
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec_jiffies,
 	},
-	{ }
 };
 #endif
 
@@ -749,10 +748,8 @@  static int __net_init __ip_vs_lblcr_init(struct net *net)
 			return -ENOMEM;
 
 		/* Don't export sysctls to unprivileged users */
-		if (net->user_ns != &init_user_ns) {
-			ipvs->lblcr_ctl_table[0].procname = NULL;
+		if (net->user_ns != &init_user_ns)
 			vars_table_size = 0;
-		}
 	} else
 		ipvs->lblcr_ctl_table = vs_vars_table;
 	ipvs->sysctl_lblcr_expiration = DEFAULT_EXPIRATION;
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index 0ee98ce5b816..2f226cfb32d0 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -616,11 +616,9 @@  enum nf_ct_sysctl_index {
 	NF_SYSCTL_CT_LWTUNNEL,
 #endif
 
-	__NF_SYSCTL_CT_LAST_SYSCTL,
+	NF_SYSCTL_CT_LAST_SYSCTL,
 };
 
-#define NF_SYSCTL_CT_LAST_SYSCTL (__NF_SYSCTL_CT_LAST_SYSCTL + 1)
-
 static struct ctl_table nf_ct_sysctl_table[] = {
 	[NF_SYSCTL_CT_MAX] = {
 		.procname	= "nf_conntrack_max",
@@ -957,7 +955,6 @@  static struct ctl_table nf_ct_sysctl_table[] = {
 		.proc_handler	= nf_hooks_lwtunnel_sysctl_handler,
 	},
 #endif
-	{}
 };
 
 static struct ctl_table nf_ct_netfilter_table[] = {
@@ -968,7 +965,6 @@  static struct ctl_table nf_ct_netfilter_table[] = {
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec,
 	},
-	{ }
 };
 
 static void nf_conntrack_standalone_init_tcp_sysctl(struct net *net,
diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c
index 370f8231385c..d42ba733496b 100644
--- a/net/netfilter/nf_log.c
+++ b/net/netfilter/nf_log.c
@@ -395,7 +395,7 @@  static const struct seq_operations nflog_seq_ops = {
 
 #ifdef CONFIG_SYSCTL
 static char nf_log_sysctl_fnames[NFPROTO_NUMPROTO-NFPROTO_UNSPEC][3];
-static struct ctl_table nf_log_sysctl_table[NFPROTO_NUMPROTO+1];
+static struct ctl_table nf_log_sysctl_table[NFPROTO_NUMPROTO];
 static struct ctl_table_header *nf_log_sysctl_fhdr;
 
 static struct ctl_table nf_log_sysctl_ftable[] = {
@@ -406,7 +406,6 @@  static struct ctl_table nf_log_sysctl_ftable[] = {
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec,
 	},
-	{ }
 };
 
 static int nf_log_proc_dostring(struct ctl_table *table, int write,