From: Patrick McHardy <kaber@trash.net>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH] netfilter: nf_tables: fix rule batch with anonymous set and module autoload
Date: Fri, 14 Feb 2014 11:37:56 +0000 [thread overview]
Message-ID: <20140214113755.GC19082@macbook.localnet> (raw)
In-Reply-To: <1392377228-3748-1-git-send-email-pablo@netfilter.org>
[ sorry accidentally dropped netfilter-devel ]
On Fri, Feb 14, 2014 at 12:27:08PM +0100, Pablo Neira Ayuso wrote:
> If some modules are missing while processing a rule batch, the updates
> are aborted to start scratch since the nfnl lock was released. If the
> rule-set contains this configuration (in this order):
>
> #1 rule using anonymous set
> #2 rule requiring module autoload
>
> The anonymous set will be released when aborting. This patch fixes this
> by passing a context variable (autoload) that can be used to decide if
> the anonymous set has to be released or not.
>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> ---
> I guess we can encapsulate that autoload into a context information structure
> in the future in case any other information is needed in the rule destroy path
> to make this look nicer.
>
> I started hacking on two patches to net-next, one to include table, chains and
> set into the batch and follow up to add atomic updates for sets. @Patrick: I
> think that should not interfer with your set enhancements.
Wouldn't be a big problem, they're pretty much contained to newset().
Regarding this patch - I'd really prefer to just fix batches to include sets
instead of changing all these function signatures just to handle this very
specific case.
I'm wondering how this will work in case of anonymous sets though, right now
we need two transactions so userspace can attach the new set to the lookup
expression.
next prev parent reply other threads:[~2014-02-14 11:38 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-14 11:27 [PATCH] netfilter: nf_tables: fix rule batch with anonymous set and module autoload Pablo Neira Ayuso
2014-02-14 11:37 ` Patrick McHardy [this message]
2014-02-14 12:34 ` Pablo Neira Ayuso
2014-02-15 9:38 ` Patrick McHardy
2014-02-16 10:33 ` Pablo Neira Ayuso
2014-02-16 10:44 ` Patrick McHardy
2014-02-16 11:14 ` Pablo Neira Ayuso
2014-02-16 11:23 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140214113755.GC19082@macbook.localnet \
--to=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).