memcg: enable accounting for nft objects

nftables replaces iptables, but it lacks memcg accounting. This patch account most of the memory allocation associated with nft and should protect the host from misusing nft inside a memcg restricted container. Signed-off-by: Vasily Averin <vvs@openvz.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Vasily Averin <vasily.averin@linux.dev> 2022-03-24 21:05:50 +0300
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2022-03-28 10:11:23 +0200
commit: 33758c891479ea1c736abfee64b5225925875557 (patch)
tree: c7c0a388313a1894e13529f422e2265ab830fb00 /net/netfilter/core.c
parent: netfilter: nf_conntrack_tcp: preserve liberal flag in tcp options (diff)
download: linux-dev-33758c891479ea1c736abfee64b5225925875557.tar.xz
linux-dev-33758c891479ea1c736abfee64b5225925875557.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 8a77a3fd69bc..77ae3e8d344c 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -58,7 +58,7 @@ static struct nf_hook_entries *allocate_hook_entries_size(u16 num)
 	if (num == 0)
 		return NULL;
 
-	e = kvzalloc(alloc, GFP_KERNEL);
+	e = kvzalloc(alloc, GFP_KERNEL_ACCOUNT);
 	if (e)
 		e->num_hook_entries = num;
 	return e;
author	Vasily Averin <vasily.averin@linux.dev>	2022-03-24 21:05:50 +0300
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2022-03-28 10:11:23 +0200
commit	33758c891479ea1c736abfee64b5225925875557 (patch)
tree	c7c0a388313a1894e13529f422e2265ab830fb00 /net/netfilter/core.c
parent	netfilter: nf_conntrack_tcp: preserve liberal flag in tcp options (diff)
download	linux-dev-33758c891479ea1c736abfee64b5225925875557.tar.xz linux-dev-33758c891479ea1c736abfee64b5225925875557.zip