netfilter: nf_tables: allocate element update information dynamically

Move the timeout/expire/flag members from nft_trans_one_elem struct into a dybamically allocated structure, only needed when timeout update was requested. This halves size of nft_trans_one_elem struct and allows to compact up to 124 elements in one transaction container rather than 62. This halves memory requirements for a large flush or insert transaction, where ->update remains NULL. Care has to be taken to release the extra data in all spots, including abort path. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Florian Westphal <fw@strlen.de> 2024-11-13 16:35:53 +0100
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2024-11-14 13:05:49 +0100
commit: 508180850b732c7a0e3a728460cf3f95f25e1fbd (patch)
tree: c962ca63c29191340956a43d744f0724e1d313c6 /include/net/netfilter
parent: b0c49466043a4878d8ef1263a4c9020698958a4c (diff)
1 files changed, 7 insertions, 3 deletions
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 37af0b174c39..80a537ac26cd 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -1759,11 +1759,15 @@ enum nft_trans_elem_flags {
 	NFT_TRANS_UPD_EXPIRATION	= (1 << 1),
 };
 
-struct nft_trans_one_elem {
-	struct nft_elem_priv		*priv;
+struct nft_elem_update {
 	u64				timeout;
 	u64				expiration;
-	u8				update_flags;
+	u8				flags;
+};
+
+struct nft_trans_one_elem {
+	struct nft_elem_priv		*priv;
+	struct nft_elem_update		*update;
 };
 
 struct nft_trans_elem {
author	Florian Westphal <fw@strlen.de>	2024-11-13 16:35:53 +0100
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2024-11-14 13:05:49 +0100
commit	508180850b732c7a0e3a728460cf3f95f25e1fbd (patch)
tree	c962ca63c29191340956a43d744f0724e1d313c6 /include/net/netfilter
parent	b0c49466043a4878d8ef1263a4c9020698958a4c (diff)