[PATCH net-next 01/10] netfilter: nf_tables: reset table validation state on abort

public inbox for netdev@vger.kernel.org
 help / color / mirror / Atom feed

From: Florian Westphal <fw@strlen.de>
To: <netdev@vger.kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	<netfilter-devel@vger.kernel.org>,
	pablo@netfilter.org
Subject: [PATCH net-next 01/10] netfilter: nf_tables: reset table validation state on abort
Date: Tue, 20 Jan 2026 20:17:54 +0100	[thread overview]
Message-ID: <20260120191803.22208-2-fw@strlen.de> (raw)
In-Reply-To: <20260120191803.22208-1-fw@strlen.de>

If a transaction fails the final validation in the commit hook, the table
validation state is changed to NFT_VALIDATE_DO and a replay of the batch is
performed.  Every rule insert will then do a graph validation.

This is much slower, but provides better error reporting to the user
because we can point at the rule that introduces the validation issue.

Without this reset the affected table(s) remain in full validation mode,
i.e. on next transaction we start with slow-mode.

This makes the next transaction after a failed incremental update very slow:

 # time iptables-restore < /tmp/ruleset
 real    0m0.496s [..]
 # time iptables -A CALLEE -j CALLER
 iptables v1.8.11 (nf_tables):  RULE_APPEND failed (Too many links): rule in chain CALLEE
 real    0m0.022s [..]
 # time iptables-restore < /tmp/ruleset
 real    1m22.355s [..]

After this patch, 2nd iptables-restore is back to ~0.5s.

Fixes: 9a32e9850686 ("netfilter: nf_tables: don't write table validation state without mutex")
Signed-off-by: Florian Westphal <fw@strlen.de>
---
 net/netfilter/nf_tables_api.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 729a92781a1a..027bab30c238 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -11536,6 +11536,13 @@ static int nf_tables_abort(struct net *net, struct sk_buff *skb,
 	ret = __nf_tables_abort(net, action);
 	nft_gc_seq_end(nft_net, gc_seq);
 
+	if (action == NFNL_ABORT_NONE) {
+		struct nft_table *table;
+
+		list_for_each_entry(table, &nft_net->tables, list)
+			table->validate_state = NFT_VALIDATE_SKIP;
+	}
+
 	WARN_ON_ONCE(!list_empty(&nft_net->commit_list));
 
 	/* module autoload needs to happen after GC sequence update because it
-- 
2.52.0

next prev parent reply	other threads:[~2026-01-20 19:18 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-01-20 19:17 [PATCH net-next 00/10] Subject: netfilter: updates for net-next Florian Westphal
2026-01-20 19:17 ` Florian Westphal [this message]
2026-01-22  4:40   ` [PATCH net-next 01/10] netfilter: nf_tables: reset table validation state on abort patchwork-bot+netdevbpf
2026-01-20 19:17 ` [PATCH net-next 02/10] netfilter: nf_conntrack: Add allow_clash to generic protocol handler Florian Westphal
2026-01-20 19:17 ` [PATCH net-next 03/10] netfilter: nf_conncount: increase the connection clean up limit to 64 Florian Westphal
2026-01-20 19:17 ` [PATCH net-next 04/10] netfilter: nf_conntrack: enable icmp clash support Florian Westphal
2026-01-20 19:17 ` [PATCH net-next 05/10] netfilter: don't include xt and nftables.h in unrelated subsystems Florian Westphal
2026-01-20 19:17 ` [PATCH net-next 06/10] netfilter: nf_conntrack: don't rely on implicit includes Florian Westphal
2026-01-20 19:18 ` [PATCH net-next 07/10] netfilter: nfnetlink_queue: nfqnl_instance GFP_ATOMIC -> GFP_KERNEL_ACCOUNT allocation Florian Westphal
2026-01-20 19:18 ` [PATCH net-next 08/10] netfilter: nft_compat: add more restrictions on netlink attributes Florian Westphal
2026-01-20 19:18 ` [PATCH net-next 09/10] netfilter: nf_conncount: fix tracking of connections from localhost Florian Westphal
2026-01-20 19:18 ` [PATCH net-next 10/10] netfilter: xt_tcpmss: check remaining length before reading optlen Florian Westphal

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:729a92781a1 dfblob:027bab30c23 )
 OR (
bs:"[PATCH net-next 01/10] netfilter: nf_tables: reset table validation state on abort" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260120191803.22208-2-fw@strlen.de \
    --to=fw@strlen.de \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=kuba@kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=pablo@netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox