From: Patrick McHardy <kaber@trash.net>
To: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Cc: netfilter-devel@vger.kernel.org, pablo@netfilter.org
Subject: Re: [nft RFC PATCH] src: add import operation
Date: Tue, 21 Jan 2014 17:32:03 +0000 [thread overview]
Message-ID: <20140121173203.GA19183@macbook.localnet> (raw)
In-Reply-To: <20140121172209.GB8194@macbook.localnet>
On Tue, Jan 21, 2014 at 05:22:09PM +0000, Patrick McHardy wrote:
> On Tue, Jan 21, 2014 at 06:02:11PM +0100, Arturo Borrero Gonzalez wrote:
> > The import operation reads XML/JSON data from stdin.
> >
> > A basic way to test is:
> > % nft export json | nft import json
> >
> > This operation flush the kernel ruleset before adding the one imported.
> >
> > Adding data from a file:
> > % cat file.json | nft import json
> > % nft import json < file.json
>
> OK I think I understand your -EBUSY problem. We're destroying the rules'
> expressions from within the RCU callback, so its happening asynchronous.
> You most likely don't get EBUSY when deleting the table, but when deleting
> the set because the bindings from the lookup rules are not released yet.
> You then will *also* get -EBUSY from table deletion.
>
> Basically I see these possibilities to fix this:
>
> - Use synchronize_rcu() instead of call_rcu() for rule deletion. We
> added the call_rcu() because deletion performance was suffering
> badly from lots of synchronize_rcu() calls. This is obviously not
> a problem anymore with batched deletion.
>
> - Use synchronize_rcu() before deleting sets. Same effect, but in case
> someone really does unbatched deletes, it will very likely result in
> less synchronize_rcu() calls.
Actually this one is nonsense. synchronize_rcu() doesn't guarantee that
a scheduled RCU callback has already returned. I'd suggest to switch back
rule deletion to use synchronize_rcu().
Basically our API is currently broken since it contains a race condition.
Userspace must be able to assume that the referenced objects can be
removed after the DELRULE command has completed.
> Regarding this patch, I don't think we should add this before we support
> atomic replacement of tables, chains and sets as well. IOW, this needs
> quite a bit of kernel work.
prev parent reply other threads:[~2014-01-21 17:32 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-21 17:02 [nft RFC PATCH] src: add import operation Arturo Borrero Gonzalez
2014-01-21 17:22 ` Patrick McHardy
2014-01-21 17:32 ` Patrick McHardy [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140121173203.GA19183@macbook.localnet \
--to=kaber@trash.net \
--cc=arturo.borrero.glez@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).