From: Patrick McHardy <kaber@trash.net>
To: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Cc: netfilter-devel@vger.kernel.org, pablo@netfilter.org
Subject: Re: [nft RFC PATCH] src: add import operation
Date: Tue, 21 Jan 2014 17:22:09 +0000 [thread overview]
Message-ID: <20140121172209.GB8194@macbook.localnet> (raw)
In-Reply-To: <20140121170211.31038.31659.stgit@nfdev.cica.es>
On Tue, Jan 21, 2014 at 06:02:11PM +0100, Arturo Borrero Gonzalez wrote:
> The import operation reads XML/JSON data from stdin.
>
> A basic way to test is:
> % nft export json | nft import json
>
> This operation flush the kernel ruleset before adding the one imported.
>
> Adding data from a file:
> % cat file.json | nft import json
> % nft import json < file.json
OK I think I understand your -EBUSY problem. We're destroying the rules'
expressions from within the RCU callback, so its happening asynchronous.
You most likely don't get EBUSY when deleting the table, but when deleting
the set because the bindings from the lookup rules are not released yet.
You then will *also* get -EBUSY from table deletion.
Basically I see these possibilities to fix this:
- Use synchronize_rcu() instead of call_rcu() for rule deletion. We
added the call_rcu() because deletion performance was suffering
badly from lots of synchronize_rcu() calls. This is obviously not
a problem anymore with batched deletion.
- Use synchronize_rcu() before deleting sets. Same effect, but in case
someone really does unbatched deletes, it will very likely result in
less synchronize_rcu() calls.
Regarding this patch, I don't think we should add this before we support
atomic replacement of tables, chains and sets as well. IOW, this needs
quite a bit of kernel work.
next prev parent reply other threads:[~2014-01-21 17:22 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-21 17:02 [nft RFC PATCH] src: add import operation Arturo Borrero Gonzalez
2014-01-21 17:22 ` Patrick McHardy [this message]
2014-01-21 17:32 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140121172209.GB8194@macbook.localnet \
--to=kaber@trash.net \
--cc=arturo.borrero.glez@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).