From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Phil Sutter <phil@nwl.cc>, Florian Westphal <fw@strlen.de>,
netfilter-devel@vger.kernel.org
Subject: Re: [nf-next PATCH v3 3/3] netfilter: nf_tables: Add locking for NFT_MSG_GETRULE_RESET requests
Date: Thu, 19 Oct 2023 15:04:30 +0200 [thread overview]
Message-ID: <ZTEpXnJ1sWvB8rrt@calendula> (raw)
In-Reply-To: <ZTEiLqJuiq5karTL@orbyte.nwl.cc>
On Thu, Oct 19, 2023 at 02:33:50PM +0200, Phil Sutter wrote:
> On Thu, Oct 19, 2023 at 01:38:04PM +0200, Pablo Neira Ayuso wrote:
> > On Thu, Oct 19, 2023 at 01:33:47PM +0200, Phil Sutter wrote:
> > > Rule reset is not concurrency-safe per-se, so multiple CPUs may reset
> > > the same rule at the same time. At least counter and quota expressions
> > > will suffer from value underruns in this case.
> > >
> > > Prevent this by introducing dedicated locking callbacks for nfnetlink
> > > and the asynchronous dump handling to serialize access.
> > >
> > > Signed-off-by: Phil Sutter <phil@nwl.cc>
> > > ---
> > > Changes since v2:
> > > - Keep local variable 'nft_net' in nf_tables_getrule_reset()
> > > - No need for local variable 'family' in same function (used only once
> > > after all the churn)
> > > ---
> > > net/netfilter/nf_tables_api.c | 74 ++++++++++++++++++++++++++++-------
> > > 1 file changed, 60 insertions(+), 14 deletions(-)
> > >
> > > diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
> > > index 584d3b204372..fbb688c9903c 100644
> > > --- a/net/netfilter/nf_tables_api.c
> > > +++ b/net/netfilter/nf_tables_api.c
> > [...]
> > > +static int nf_tables_dumpreset_rules(struct sk_buff *skb,
> > > + struct netlink_callback *cb)
> > > +{
> > > + struct nftables_pernet *nft_net = nft_pernet(sock_net(skb->sk));
> > > + int ret;
> > > +
> > > + mutex_lock(&nft_net->commit_mutex);
> > > + ret = nf_tables_dump_rules(skb, cb);
> > > + mutex_unlock(&nft_net->commit_mutex);
> >
> > NACK.
> >
> > This just mitigates the problem we are discussing, when there is an
> > interference with an ongoing transaction.
>
> This fixes for user space's ability to underrun counters and quotas
> because expressions' dump callbacks are not concurrency safe in reset
> mode.
>
> What you're concerned with is a different issue.
I'd suggest you add comment to this code, feel free to add better
wording:
/* Mutex is held is to prevent that two concurrent dump-and-reset calls
* do not underrun counters and quotas. The commit_mutex is used for the
* lack a better lock, this is not transaction path.
*/
mutex_lock(&nft_net->commit_mutex);
ret = nf_tables_dump_rules(skb, cb);
mutex_unlock(&nft_net->commit_mutex);
prev parent reply other threads:[~2023-10-19 13:04 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-19 11:33 [nf-next PATCH v3 0/3] Introduce locking for rule reset requests Phil Sutter
2023-10-19 11:33 ` [nf-next PATCH v3 1/3] netfilter: nf_tables: Open-code audit log call in nf_tables_getrule() Phil Sutter
2023-10-19 11:52 ` Florian Westphal
2023-10-19 12:29 ` Phil Sutter
2023-10-19 11:33 ` [nf-next PATCH v3 2/3] netfilter: nf_tables: Introduce nf_tables_getrule_single() Phil Sutter
2023-10-19 11:33 ` [nf-next PATCH v3 3/3] netfilter: nf_tables: Add locking for NFT_MSG_GETRULE_RESET requests Phil Sutter
2023-10-19 11:38 ` Pablo Neira Ayuso
2023-10-19 11:59 ` Florian Westphal
2023-10-19 13:38 ` Pablo Neira Ayuso
2023-10-19 12:33 ` Phil Sutter
2023-10-19 13:04 ` Pablo Neira Ayuso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZTEpXnJ1sWvB8rrt@calendula \
--to=pablo@netfilter.org \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=phil@nwl.cc \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.