From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Subject: [PATCH nf-next 6/6] netfilter: nft_hash: support deletion of inactive elements
Date: Wed, 22 Jun 2016 13:14:32 +0200 [thread overview]
Message-ID: <1466594072-24043-6-git-send-email-pablo@netfilter.org> (raw)
In-Reply-To: <1466594072-24043-1-git-send-email-pablo@netfilter.org>
New elements are inactive in the preparation phase, and its
NFT_SET_ELEM_BUSY_MASK flag is set on.
This busy flag doesn't allow us to delete it from the same transaction,
following a sequence like:
begin transaction
add element X
delete element X
end transaction
This sequence is valid and may be triggered by robots. To resolve this
problem, allow deactivating elements that are active in the current
generation (ie. those that has been just added in this batch).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nft_hash.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nft_hash.c b/net/netfilter/nft_hash.c
index f39c53a..ea92481 100644
--- a/net/netfilter/nft_hash.c
+++ b/net/netfilter/nft_hash.c
@@ -153,9 +153,10 @@ static void *nft_hash_deactivate(const struct nft_set *set,
const struct nft_set_elem *elem)
{
struct nft_hash *priv = nft_set_priv(set);
+ struct net *net = read_pnet(&set->pnet);
struct nft_hash_elem *he;
struct nft_hash_cmp_arg arg = {
- .genmask = nft_genmask_next(read_pnet(&set->pnet)),
+ .genmask = nft_genmask_next(net),
.set = set,
.key = elem->key.val.data,
};
@@ -163,7 +164,8 @@ static void *nft_hash_deactivate(const struct nft_set *set,
rcu_read_lock();
he = rhashtable_lookup_fast(&priv->ht, &arg, nft_hash_params);
if (he != NULL) {
- if (!nft_set_elem_mark_busy(&he->ext))
+ if (!nft_set_elem_mark_busy(&he->ext) ||
+ !nft_is_active(net, &he->ext))
nft_set_elem_change_active(set, &he->ext);
else
he = NULL;
--
2.1.4
prev parent reply other threads:[~2016-06-22 11:16 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-22 11:14 [PATCH nf-next 1/6] netfilter: nf_tables: add generic macros to check for generation mask Pablo Neira Ayuso
2016-06-22 11:14 ` [PATCH nf-next 2/6] netfilter: nf_tables: add generation mask to tables Pablo Neira Ayuso
2016-06-22 11:50 ` Pablo Neira Ayuso
2016-06-22 11:14 ` [PATCH nf-next 3/6] netfilter: nf_tables: add generation mask to chains Pablo Neira Ayuso
2016-06-22 11:14 ` [PATCH nf-next 4/6] netfilter: nf_tables: add generation mask to sets Pablo Neira Ayuso
2016-06-22 11:14 ` [PATCH nf-next 5/6] netfilter: nft_rbtree: check for next generation when deactivating elements Pablo Neira Ayuso
2016-06-22 11:14 ` Pablo Neira Ayuso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1466594072-24043-6-git-send-email-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).