From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org, kuba@kernel.org,
pabeni@redhat.com, edumazet@google.com, fw@strlen.de
Subject: [PATCH net-next 11/17] netfilter: nft_set_pipapo: prepare walk function for on-demand clone
Date: Sun, 12 May 2024 18:14:30 +0200 [thread overview]
Message-ID: <20240512161436.168973-12-pablo@netfilter.org> (raw)
In-Reply-To: <20240512161436.168973-1-pablo@netfilter.org>
From: Florian Westphal <fw@strlen.de>
The existing code uses iter->type to figure out what data is needed, the
live copy (READ) or clone (UPDATE).
Without pending updates, priv->clone and priv->match will point to
different memory locations, but they have identical content.
Future patch will make priv->clone == NULL if there are no pending changes,
in this case we must copy the live data for the UPDATE case.
Currently this would require GFP_ATOMIC allocation. Split the walk
function in two parts: one that does the walk and one that decides which
data is needed.
In the UPDATE case, callers hold the transaction mutex so we do not need
the rcu read lock. This allows to use GFP_KERNEL allocation while
cloning.
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nft_set_pipapo.c | 60 ++++++++++++++++++++++------------
1 file changed, 39 insertions(+), 21 deletions(-)
diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c
index 459e2dd5050c..543d6cf01de6 100644
--- a/net/netfilter/nft_set_pipapo.c
+++ b/net/netfilter/nft_set_pipapo.c
@@ -2106,35 +2106,23 @@ static void nft_pipapo_remove(const struct net *net, const struct nft_set *set,
}
/**
- * nft_pipapo_walk() - Walk over elements
+ * nft_pipapo_do_walk() - Walk over elements in m
* @ctx: nftables API context
* @set: nftables API set representation
+ * @m: matching data pointing to key mapping array
* @iter: Iterator
*
* As elements are referenced in the mapping array for the last field, directly
* scan that array: there's no need to follow rule mappings from the first
- * field.
+ * field. @m is protected either by RCU read lock or by transaction mutex.
*/
-static void nft_pipapo_walk(const struct nft_ctx *ctx, struct nft_set *set,
- struct nft_set_iter *iter)
+static void nft_pipapo_do_walk(const struct nft_ctx *ctx, struct nft_set *set,
+ const struct nft_pipapo_match *m,
+ struct nft_set_iter *iter)
{
- struct nft_pipapo *priv = nft_set_priv(set);
- const struct nft_pipapo_match *m;
const struct nft_pipapo_field *f;
unsigned int i, r;
- WARN_ON_ONCE(iter->type != NFT_ITER_READ &&
- iter->type != NFT_ITER_UPDATE);
-
- rcu_read_lock();
- if (iter->type == NFT_ITER_READ)
- m = rcu_dereference(priv->match);
- else
- m = priv->clone;
-
- if (unlikely(!m))
- goto out;
-
for (i = 0, f = m->f; i < m->field_count - 1; i++, f++)
;
@@ -2151,14 +2139,44 @@ static void nft_pipapo_walk(const struct nft_ctx *ctx, struct nft_set *set,
iter->err = iter->fn(ctx, set, iter, &e->priv);
if (iter->err < 0)
- goto out;
+ return;
cont:
iter->count++;
}
+}
-out:
- rcu_read_unlock();
+/**
+ * nft_pipapo_walk() - Walk over elements
+ * @ctx: nftables API context
+ * @set: nftables API set representation
+ * @iter: Iterator
+ *
+ * Test if destructive action is needed or not, clone active backend if needed
+ * and call the real function to work on the data.
+ */
+static void nft_pipapo_walk(const struct nft_ctx *ctx, struct nft_set *set,
+ struct nft_set_iter *iter)
+{
+ struct nft_pipapo *priv = nft_set_priv(set);
+ const struct nft_pipapo_match *m;
+
+ switch (iter->type) {
+ case NFT_ITER_UPDATE:
+ m = priv->clone;
+ nft_pipapo_do_walk(ctx, set, m, iter);
+ break;
+ case NFT_ITER_READ:
+ rcu_read_lock();
+ m = rcu_dereference(priv->match);
+ nft_pipapo_do_walk(ctx, set, m, iter);
+ rcu_read_unlock();
+ break;
+ default:
+ iter->err = -EINVAL;
+ WARN_ON_ONCE(1);
+ break;
+ }
}
/**
--
2.30.2
next prev parent reply other threads:[~2024-05-12 16:14 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-12 16:14 [PATCH net-next 00/17] Netfilter updates for net-next Pablo Neira Ayuso
2024-05-12 16:14 ` [PATCH net-next 01/17] netfilter: nf_tables: skip transaction if update object is not implemented Pablo Neira Ayuso
2024-05-13 20:40 ` patchwork-bot+netdevbpf
2024-05-12 16:14 ` [PATCH net-next 02/17] netfilter: nf_tables: remove NETDEV_CHANGENAME from netdev chain event handler Pablo Neira Ayuso
2024-05-12 16:14 ` [PATCH net-next 03/17] netfilter: conntrack: fix ct-state for ICMPv6 Multicast Router Discovery Pablo Neira Ayuso
2024-05-12 16:14 ` [PATCH net-next 04/17] netfilter: conntrack: dccp: try not to drop skb in conntrack Pablo Neira Ayuso
2024-05-12 16:14 ` [PATCH net-next 05/17] netfilter: use NF_DROP instead of -NF_DROP Pablo Neira Ayuso
2024-05-12 16:14 ` [PATCH net-next 06/17] netfilter: conntrack: documentation: remove reference to non-existent sysctl Pablo Neira Ayuso
2024-05-12 16:14 ` [PATCH net-next 07/17] netfilter: conntrack: remove flowtable early-drop test Pablo Neira Ayuso
2024-05-12 16:14 ` [PATCH net-next 08/17] netfilter: nft_set_pipapo: move prove_locking helper around Pablo Neira Ayuso
2024-05-12 16:14 ` [PATCH net-next 09/17] netfilter: nft_set_pipapo: make pipapo_clone helper return NULL Pablo Neira Ayuso
2024-05-12 16:14 ` [PATCH net-next 10/17] netfilter: nft_set_pipapo: prepare destroy function for on-demand clone Pablo Neira Ayuso
2024-05-12 16:14 ` Pablo Neira Ayuso [this message]
2024-05-12 16:14 ` [PATCH net-next 12/17] netfilter: nft_set_pipapo: merge deactivate helper into caller Pablo Neira Ayuso
2024-05-12 16:14 ` [PATCH net-next 13/17] netfilter: nft_set_pipapo: prepare pipapo_get helper for on-demand clone Pablo Neira Ayuso
2024-05-12 16:14 ` [PATCH net-next 14/17] netfilter: nft_set_pipapo: move cloning of match info to insert/removal path Pablo Neira Ayuso
2024-05-12 16:14 ` [PATCH net-next 15/17] netfilter: nft_set_pipapo: remove dirty flag Pablo Neira Ayuso
2024-05-12 16:14 ` [PATCH net-next 16/17] selftests: netfilter: add packetdrill based conntrack tests Pablo Neira Ayuso
2024-05-13 18:46 ` Jakub Kicinski
2024-05-13 20:03 ` Florian Westphal
2024-05-13 21:41 ` Jakub Kicinski
2024-05-14 5:09 ` Florian Westphal
2024-05-14 13:36 ` Jakub Kicinski
2024-05-12 16:14 ` [PATCH net-next 17/17] netfilter: nf_tables: allow clone callbacks to sleep Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240512161436.168973-12-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=fw@strlen.de \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).