[PATCH 43/47] netfilter: core: batch nf_unregister_net_hooks synchronize_net calls

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org
Subject: [PATCH 43/47] netfilter: core: batch nf_unregister_net_hooks synchronize_net calls
Date: Mon,  4 Sep 2017 00:42:50 +0200	[thread overview]
Message-ID: <1504478574-13281-8-git-send-email-pablo@netfilter.org> (raw)
In-Reply-To: <1504478574-13281-1-git-send-email-pablo@netfilter.org>

From: Florian Westphal <fw@strlen.de>

re-add batching in nf_unregister_net_hooks().

Similar as before, just store an array with to-be-free'd rule arrays
on stack, then call synchronize_net once per batch.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/core.c | 59 +++++++++++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 56 insertions(+), 3 deletions(-)

diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 164ad20d0bd2..04fe25abc5f6 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -395,10 +395,63 @@ EXPORT_SYMBOL(nf_register_net_hooks);
 void nf_unregister_net_hooks(struct net *net, const struct nf_hook_ops *reg,
 			     unsigned int hookcount)
 {
-	unsigned int i;
+	struct nf_hook_entries *to_free[16], *p;
+	struct nf_hook_entries __rcu **pp;
+	unsigned int i, j, n;
+
+	mutex_lock(&nf_hook_mutex);
+	for (i = 0; i < hookcount; i++) {
+		pp = nf_hook_entry_head(net, &reg[i]);
+		if (!pp)
+			continue;
+
+		p = nf_entry_dereference(*pp);
+		if (WARN_ON_ONCE(!p))
+			continue;
+		__nf_unregister_net_hook(p, &reg[i]);
+	}
+	mutex_unlock(&nf_hook_mutex);
+
+	do {
+		n = min_t(unsigned int, hookcount, ARRAY_SIZE(to_free));
+
+		mutex_lock(&nf_hook_mutex);
+
+		for (i = 0, j = 0; i < hookcount && j < n; i++) {
+			pp = nf_hook_entry_head(net, &reg[i]);
+			if (!pp)
+				continue;
+
+			p = nf_entry_dereference(*pp);
+			if (!p)
+				continue;
+
+			to_free[j] = __nf_hook_entries_try_shrink(pp);
+			if (to_free[j])
+				++j;
+		}
+
+		mutex_unlock(&nf_hook_mutex);
+
+		if (j) {
+			unsigned int nfq;
+
+			synchronize_net();
+
+			/* need 2nd synchronize_net() if nfqueue is used, skb
+			 * can get reinjected right before nf_queue_hook_drop()
+			 */
+			nfq = nf_queue_nf_hook_drop(net);
+			if (nfq)
+				synchronize_net();
+
+			for (i = 0; i < j; i++)
+				kvfree(to_free[i]);
+		}
 
-	for (i = 0; i < hookcount; i++)
-		nf_unregister_net_hook(net, &reg[i]);
+		reg += n;
+		hookcount -= n;
+	} while (hookcount > 0);
 }
 EXPORT_SYMBOL(nf_unregister_net_hooks);
 
-- 
2.1.4

next prev parent reply	other threads:[~2017-09-03 22:43 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-09-03 22:42 [PATCH 36/47] netfilter: conntrack: place print_tuple in procfs part Pablo Neira Ayuso
2017-09-03 22:42 ` [PATCH 37/47] netfilter: conntrack: print_conntrack only needed if CONFIG_NF_CONNTRACK_PROCFS Pablo Neira Ayuso
2017-09-03 22:42 ` [PATCH 38/47] netfilter: conntrack: make protocol tracker pointers const Pablo Neira Ayuso
2017-09-03 22:42 ` [PATCH 39/47] netfilter: ebtables: fix indent on if statements Pablo Neira Ayuso
2017-09-03 22:42 ` [PATCH 40/47] netfilter: fix a few (harmless) sparse warnings Pablo Neira Ayuso
2017-09-03 22:42 ` [PATCH 41/47] netfilter: convert hook list to an array Pablo Neira Ayuso
2017-10-08 15:07   ` Tariq Toukan
2017-10-09  9:31     ` Florian Westphal
2017-10-09 10:04       ` Tariq Toukan
2017-09-03 22:42 ` [PATCH 42/47] netfilter: debug: check for sorted array Pablo Neira Ayuso
2017-09-03 22:42 ` Pablo Neira Ayuso [this message]
2017-09-03 22:42 ` [PATCH 44/47] netfilter: conntrack: don't log "invalid" icmpv6 connections Pablo Neira Ayuso
2017-09-03 22:42 ` [PATCH 45/47] netfilter: Remove NFDEBUG() Pablo Neira Ayuso

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:164ad20d0bd dfblob:04fe25abc5f )
 OR (
bs:"[PATCH 43/47] netfilter: core: batch nf_unregister_net_hooks synchronize_net calls" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1504478574-13281-8-git-send-email-pablo@netfilter.org \
    --to=pablo@netfilter.org \
    --cc=davem@davemloft.net \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).