From: Simon Horman <horms@kernel.org>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel@vger.kernel.org, lorenzo@kernel.org,
netdev@vger.kernel.org
Subject: Re: [PATCH nf-next 1/8] netfilter: flowtable: move nf_flowtable out of container structures
Date: Thu, 23 Nov 2023 13:52:13 +0000 [thread overview]
Message-ID: <20231123135213.GE6339@kernel.org> (raw)
In-Reply-To: <20231121122800.13521-2-fw@strlen.de>
On Tue, Nov 21, 2023 at 01:27:44PM +0100, Florian Westphal wrote:
> struct nf_flowtable is currently wholly embedded in either nft_flowtable
> or tcf_ct_flow_table.
>
> In order to allow flowtable acceleration via XDP, the XDP program will
> need to map struct net_device to struct nf_flowtable.
>
> To make this work reliably, make a clear separation of the frontend
> (nft, tc) and backend (nf_flowtable) representation.
>
> In this first patch, amke it so nft_flowtable and tcf_ct_flow_table
> only store pointers to an nf_flowtable structure.
>
> The main goal is to have follow patches that allow us to keep the
> nf_flowtable structure around for a bit longer (e.g. until after
> an rcu grace period has elapesed) when the frontend(s) are tearing the
> structures down.
>
> At this time, things are fine, but when xdp programs might be using
> the nf_flowtable structure as well we will need a way to ensure that
> no such users exist anymore.
>
> Right now there is inufficient guarantee: nftables only ensures
> that the netfilter hooks are unregistered, and tc only ensures the
> tc actions have been removed.
>
> Any future kfunc might still be called in parallel from an XDP
> program. The easies way to resolve this is to let the nf_flowtable
> core handle release and module reference counting itself.
>
> Signed-off-by: Florian Westphal <fw@strlen.de>
...
> @@ -312,24 +313,29 @@ static int tcf_ct_flow_table_get(struct net *net, struct tcf_ct_params *params)
> if (err)
> goto err_insert;
>
> - ct_ft->nf_ft.type = &flowtable_ct;
> - ct_ft->nf_ft.flags |= NF_FLOWTABLE_HW_OFFLOAD |
> - NF_FLOWTABLE_COUNTER;
> - err = nf_flow_table_init(&ct_ft->nf_ft);
> + ct_ft->nf_ft = kzalloc(sizeof(*ct_ft->nf_ft), GFP_KERNEL);
> + if (!ct_ft->nf_ft)
> + goto err_alloc;
Hi Florian,
This branch will cause the function to return err, but err is 0 here.
Perhaps it should be set to a negative error value instead?
Flagged by Smatch.
> +
> + ct_ft->nf_ft->type = &flowtable_ct;
> + ct_ft->nf_ft->flags |= NF_FLOWTABLE_HW_OFFLOAD |
> + NF_FLOWTABLE_COUNTER;
> + err = nf_flow_table_init(ct_ft->nf_ft);
> if (err)
> goto err_init;
> - write_pnet(&ct_ft->nf_ft.net, net);
> + write_pnet(&ct_ft->nf_ft->net, net);
>
> __module_get(THIS_MODULE);
> out_unlock:
> params->ct_ft = ct_ft;
> - params->nf_ft = &ct_ft->nf_ft;
> + params->nf_ft = ct_ft->nf_ft;
> mutex_unlock(&zones_mutex);
>
> return 0;
>
> err_init:
> rhashtable_remove_fast(&zones_ht, &ct_ft->node, zones_params);
> + kfree(ct_ft->nf_ft);
> err_insert:
> kfree(ct_ft);
> err_alloc:
...
next prev parent reply other threads:[~2023-11-23 13:52 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-21 12:27 [PATCH nf-next 0/8] netfilter: make nf_flowtable lifetime differ from container struct Florian Westphal
2023-11-21 12:27 ` [PATCH nf-next 1/8] netfilter: flowtable: move nf_flowtable out of container structures Florian Westphal
2023-11-23 13:52 ` Simon Horman [this message]
2023-11-23 14:10 ` Florian Westphal
2023-11-25 8:26 ` Simon Horman
2023-11-25 8:36 ` Simon Horman
2023-11-21 12:27 ` [PATCH nf-next 2/8] netfilter: nf_flowtable: replace init callback with a create one Florian Westphal
2023-11-21 12:27 ` [PATCH nf-next 3/8] netfilter: nf_flowtable: make free a real free function Florian Westphal
2023-11-21 12:27 ` [PATCH nf-next 4/8] netfilter: nf_flowtable: delay flowtable release a second time Florian Westphal
2023-11-21 12:27 ` [PATCH nf-next 5/8] netfilter: nf_tables: reject flowtable hw offload for same device Florian Westphal
2023-11-21 12:27 ` [PATCH nf-next 6/8] netfilter: nf_tables: add xdp offload flag Florian Westphal
2023-11-21 12:27 ` [PATCH nf-next 7/8] netfilter: nf_tables: add flowtable map for xdp offload Florian Westphal
2023-11-21 14:25 ` Lorenzo Bianconi
2023-11-24 10:59 ` Toke Høiland-Jørgensen
2023-11-30 13:53 ` Florian Westphal
2023-11-30 14:17 ` Toke Høiland-Jørgensen
2023-11-21 12:27 ` [PATCH nf-next 8/8] netfilter: nf_tables: permit duplicate flowtable mappings Florian Westphal
2023-11-24 9:50 ` [PATCH nf-next 0/8] netfilter: make nf_flowtable lifetime differ from container struct Pablo Neira Ayuso
2023-11-24 9:55 ` Florian Westphal
2023-11-24 10:10 ` Pablo Neira Ayuso
2023-11-24 10:16 ` Florian Westphal
2023-11-24 10:48 ` Toke Høiland-Jørgensen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231123135213.GE6339@kernel.org \
--to=horms@kernel.org \
--cc=fw@strlen.de \
--cc=lorenzo@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.