From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Xin Long <lucien.xin@gmail.com>
Cc: network dev <netdev@vger.kernel.org>,
netfilter-devel@vger.kernel.org, davem@davemloft.net,
fw@strlen.de
Subject: Re: [PATCH net] netfilter: do not hold dev in ipt_CLUSTERIP
Date: Mon, 19 Jun 2017 19:08:37 +0200 [thread overview]
Message-ID: <20170619170837.GA4763@salvia> (raw)
In-Reply-To: <cc6ebc3f8784d8d537737a1e18b443a2e0c7313a.1495271286.git.lucien.xin@gmail.com>
On Sat, May 20, 2017 at 05:08:06PM +0800, Xin Long wrote:
> It's a terrible thing to hold dev in iptables target. When the dev is
> being removed, unregister_netdevice has to wait for the dev to become
> free. dmesg will keep logging the err:
>
> kernel:unregister_netdevice: waiting for veth0_in to become free. \
> Usage count = 1
>
> until iptables rules with this target are removed manually.
>
> The worse thing is when deleting a netns, a virtual nic will be deleted
> instead of reset to init_net in default_device_ops exit/exit_batch. As
> it is earlier than to flush the iptables rules in iptable_filter_net_ops
> exit, unregister_netdevice will block to wait for the nic to become free.
>
> As unregister_netdevice is actually waiting for iptables rules flushing
> while iptables rules have to be flushed after unregister_netdevice. This
> 'dead lock' will cause unregister_netdevice to block there forever. As
> the netns is not available to operate at that moment, iptables rules can
> not even be flushed manually either.
>
> The reproducer can be:
>
> # ip netns add test
> # ip link add veth0_in type veth peer name veth0_out
> # ip link set veth0_in netns test
> # ip netns exec test ip link set lo up
> # ip netns exec test ip link set veth0_in up
> # ip netns exec test iptables -I INPUT -d 1.2.3.4 -i veth0_in -j \
> CLUSTERIP --new --clustermac 89:d4:47:eb:9a:fa --total-nodes 3 \
> --local-node 1 --hashmode sourceip-sourceport
> # ip netns del test
>
> This issue can be triggered by all virtual nics with ipt_CLUSTERIP.
>
> This patch is to fix it by not holding dev in ipt_CLUSTERIP, but only
> save dev->ifindex instead of dev. When removing the mc from the dev,
> it will get dev by c->ifindex through dev_get_by_index.
>
> Note that it doesn't save dev->name but dev->ifindex, as a dev->name
> can be changed, it will confuse ipt_CLUSTERIP.
Applied to nf-next.
This problem has been there since day 1, and it's a large patch, so I
prefer we follow nf-next path.
Thanks!
prev parent reply other threads:[~2017-06-19 17:08 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-20 9:08 [PATCH net] netfilter: do not hold dev in ipt_CLUSTERIP Xin Long
2017-05-23 21:26 ` Pablo Neira Ayuso
2017-05-24 8:53 ` Xin Long
2017-06-19 17:08 ` Pablo Neira Ayuso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170619170837.GA4763@salvia \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=fw@strlen.de \
--cc=lucien.xin@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.