From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Cc: netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
linux-rt-devel@lists.linux.dev, Florian Westphal <fw@strlen.de>,
Jozsef Kadlecsik <kadlec@netfilter.org>,
Thomas Gleixner <tglx@linutronix.de>
Subject: Re: [PATCH v4] netfilter: Exclude LEGACY TABLES on PREEMPT_RT.
Date: Tue, 15 Apr 2025 17:14:39 +0200 [thread overview]
Message-ID: <Z_5335rrIYsyVq6E@calendula> (raw)
In-Reply-To: <20250404152815.LilZda0r@linutronix.de>
On Fri, Apr 04, 2025 at 05:28:15PM +0200, Sebastian Andrzej Siewior wrote:
> From: Pablo Neira Ayuso <pablo@netfilter.org>
>
> The seqcount xt_recseq is used to synchronize the replacement of
> xt_table::private in xt_replace_table() against all readers such as
> ipt_do_table()
>
> To ensure that there is only one writer, the writing side disables
> bottom halves. The sequence counter can be acquired recursively. Only the
> first invocation modifies the sequence counter (signaling that a writer
> is in progress) while the following (recursive) writer does not modify
> the counter.
> The lack of a proper locking mechanism for the sequence counter can lead
> to live lock on PREEMPT_RT if the high prior reader preempts the
> writer. Additionally if the per-CPU lock on PREEMPT_RT is removed from
> local_bh_disable() then there is no synchronisation for the per-CPU
> sequence counter.
>
> The affected code is "just" the legacy netfilter code which is replaced
> by "netfilter tables". That code can be disabled without sacrificing
> functionality because everything is provided by the newer
> implementation. This will only requires the usage of the "-nft" tools
> instead of the "-legacy" ones.
> The long term plan is to remove the legacy code so lets accelerate the
> progress.
>
> Relax dependencies on iptables legacy, replace select with depends on,
> this should cause no harm to existing kernel configs and users can still
> toggle IP{6}_NF_IPTABLES_LEGACY in any case.
> Make EBTABLES_LEGACY, IPTABLES_LEGACY and ARPTABLES depend on
> NETFILTER_LEGACY. Hide xt_recseq and its users, xt_register_table() and
> xt_percpu_counter_alloc() behind NETFILTER_LEGACY. Let NETFILTER_LEGACY
> depend on !PREEMPT_RT.
>
> Replace CONFIG_IP6_NF_MANGLE->CONFIG_IP6_NF_IPTABLES for TCPOPTSTRIP and
> add CONFIG_NFT_COMPAT_ARP to the MARK target for the IPv6 and ARP target
> to keep it enabled without the LEGACY code for NFT.
Applied to nf-next.
Thanks for keeping me as author, I don't deserve it.
next prev parent reply other threads:[~2025-04-15 15:14 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-04 15:28 [PATCH v4] netfilter: Exclude LEGACY TABLES on PREEMPT_RT Sebastian Andrzej Siewior
2025-04-15 15:14 ` Pablo Neira Ayuso [this message]
2025-06-13 12:50 ` Sebastian Andrzej Siewior
2025-06-13 15:30 ` Florian Westphal
2025-06-27 10:58 ` Sebastian Andrzej Siewior
2025-06-27 14:17 ` Florian Westphal
2025-06-30 14:36 ` Sebastian Andrzej Siewior
2025-06-30 14:45 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z_5335rrIYsyVq6E@calendula \
--to=pablo@netfilter.org \
--cc=bigeasy@linutronix.de \
--cc=coreteam@netfilter.org \
--cc=fw@strlen.de \
--cc=kadlec@netfilter.org \
--cc=linux-rt-devel@lists.linux.dev \
--cc=netfilter-devel@vger.kernel.org \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.