Re: [nft RFC PATCH] src: add import operation

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Patrick McHardy <kaber@trash.net>
To: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Cc: netfilter-devel@vger.kernel.org, pablo@netfilter.org
Subject: Re: [nft RFC PATCH] src: add import operation
Date: Tue, 21 Jan 2014 17:32:03 +0000	[thread overview]
Message-ID: <20140121173203.GA19183@macbook.localnet> (raw)
In-Reply-To: <20140121172209.GB8194@macbook.localnet>

On Tue, Jan 21, 2014 at 05:22:09PM +0000, Patrick McHardy wrote:
> On Tue, Jan 21, 2014 at 06:02:11PM +0100, Arturo Borrero Gonzalez wrote:
> > The import operation reads XML/JSON data from stdin.
> > 
> > A basic way to test is:
> >  % nft export json | nft import json
> > 
> > This operation flush the kernel ruleset before adding the one imported.
> > 
> > Adding data from a file:
> >  % cat file.json | nft import json
> >  % nft import json < file.json
> 
> OK I think I understand your -EBUSY problem. We're destroying the rules'
> expressions from within the RCU callback, so its happening asynchronous.
> You most likely don't get EBUSY when deleting the table, but when deleting
> the set because the bindings from the lookup rules are not released yet.
> You then will *also* get -EBUSY from table deletion.
> 
> Basically I see these possibilities to fix this:
> 
> - Use synchronize_rcu() instead of call_rcu() for rule deletion. We
>   added the call_rcu() because deletion performance was suffering
>   badly from lots of synchronize_rcu() calls. This is obviously not
>   a problem anymore with batched deletion.
> 
> - Use synchronize_rcu() before deleting sets. Same effect, but in case
>   someone really does unbatched deletes, it will very likely result in
>   less synchronize_rcu() calls.

Actually this one is nonsense. synchronize_rcu() doesn't guarantee that
a scheduled RCU callback has already returned. I'd suggest to switch back
rule deletion to use synchronize_rcu().

Basically our API is currently broken since it contains a race condition.
Userspace must be able to assume that the referenced objects can be
removed after the DELRULE command has completed.

> Regarding this patch, I don't think we should add this before we support
> atomic replacement of tables, chains and sets as well. IOW, this needs
> quite a bit of kernel work.

     prev parent reply	other threads:[~2014-01-21 17:32 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-01-21 17:02 [nft RFC PATCH] src: add import operation Arturo Borrero Gonzalez
2014-01-21 17:22 ` Patrick McHardy
2014-01-21 17:32   ` Patrick McHardy [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20140121173203.GA19183@macbook.localnet \
    --to=kaber@trash.net \
    --cc=arturo.borrero.glez@gmail.com \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.