* [PATCH 1/2 nf] netfilter: nft_queue: restrict queueing to supported families @ 2015-06-26 8:01 Pablo Neira Ayuso 2015-06-26 8:01 ` [PATCH 2/2 nf] netfilter: nfnetlink: keep going batch handling on missing modules Pablo Neira Ayuso 2015-06-26 8:02 ` [PATCH 1/2 nf] netfilter: nft_queue: restrict queueing to supported families Patrick McHardy 0 siblings, 2 replies; 4+ messages in thread From: Pablo Neira Ayuso @ 2015-06-26 8:01 UTC (permalink / raw) To: netfilter-devel; +Cc: kaber We only support IPv4 and IPv6 at this moment. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- net/netfilter/nft_queue.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nft_queue.c b/net/netfilter/nft_queue.c index 96805d2..45b9f7f 100644 --- a/net/netfilter/nft_queue.c +++ b/net/netfilter/nft_queue.c @@ -129,4 +129,5 @@ module_exit(nft_queue_module_exit); MODULE_LICENSE("GPL"); MODULE_AUTHOR("Eric Leblond <eric@regit.org>"); -MODULE_ALIAS_NFT_EXPR("queue"); +MODULE_ALIAS_NFT_AF_EXPR(AF_INET, "queue"); +MODULE_ALIAS_NFT_AF_EXPR(AF_INET6, "queue"); -- 1.7.10.4 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 2/2 nf] netfilter: nfnetlink: keep going batch handling on missing modules 2015-06-26 8:01 [PATCH 1/2 nf] netfilter: nft_queue: restrict queueing to supported families Pablo Neira Ayuso @ 2015-06-26 8:01 ` Pablo Neira Ayuso 2015-06-26 8:02 ` [PATCH 1/2 nf] netfilter: nft_queue: restrict queueing to supported families Patrick McHardy 1 sibling, 0 replies; 4+ messages in thread From: Pablo Neira Ayuso @ 2015-06-26 8:01 UTC (permalink / raw) To: netfilter-devel; +Cc: kaber After a fresh boot with no modules in place at all and a large rulesets, the existing nfnetlink_rcv_batch() funcion can take long time to commit the ruleset due to the many abort path. This is specifically a problem for the existing client of this code, ie. nf_tables, since it results in several synchronize_rcu() call in a row. This patch changes the policy to keep full batch processing on missing modules errors so we abort only once. Reported-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Tested-by: Eric Leblond <eric@regit.org> --- net/netfilter/nfnetlink.c | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c index 8b117c9..e87f6c7 100644 --- a/net/netfilter/nfnetlink.c +++ b/net/netfilter/nfnetlink.c @@ -276,13 +276,16 @@ static void nfnetlink_rcv_batch(struct sk_buff *skb, struct nlmsghdr *nlh, struct net *net = sock_net(skb->sk); const struct nfnetlink_subsystem *ss; const struct nfnl_callback *nc; - bool success = true, done = false; + bool success, done, missing_modules; static LIST_HEAD(err_list); int err; if (subsys_id >= NFNL_SUBSYS_COUNT) return netlink_ack(skb, nlh, -EINVAL); replay: + done = missing_modules = false; + success = true; + skb = netlink_skb_clone(oskb, GFP_KERNEL); if (!skb) return netlink_ack(oskb, nlh, -ENOMEM); @@ -382,11 +385,8 @@ replay: * original skb. */ if (err == -EAGAIN) { - nfnl_err_reset(&err_list); - ss->abort(oskb); - nfnl_unlock(subsys_id); - kfree_skb(skb); - goto replay; + missing_modules = true; + goto next; } } ack: @@ -412,17 +412,24 @@ ack: if (err) success = false; } - +next: msglen = NLMSG_ALIGN(nlh->nlmsg_len); if (msglen > skb->len) msglen = skb->len; skb_pull(skb, msglen); } done: - if (success && done) + if (missing_modules) { + ss->abort(oskb); + nfnl_err_reset(&err_list); + nfnl_unlock(subsys_id); + kfree_skb(skb); + goto replay; + } else if (success && done) { ss->commit(oskb); - else + } else { ss->abort(oskb); + } nfnl_err_deliver(&err_list, oskb); nfnl_unlock(subsys_id); -- 1.7.10.4 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 1/2 nf] netfilter: nft_queue: restrict queueing to supported families 2015-06-26 8:01 [PATCH 1/2 nf] netfilter: nft_queue: restrict queueing to supported families Pablo Neira Ayuso 2015-06-26 8:01 ` [PATCH 2/2 nf] netfilter: nfnetlink: keep going batch handling on missing modules Pablo Neira Ayuso @ 2015-06-26 8:02 ` Patrick McHardy 2015-06-26 8:36 ` Pablo Neira Ayuso 1 sibling, 1 reply; 4+ messages in thread From: Patrick McHardy @ 2015-06-26 8:02 UTC (permalink / raw) To: Pablo Neira Ayuso; +Cc: netfilter-devel On 26.06, Pablo Neira Ayuso wrote: > We only support IPv4 and IPv6 at this moment. That's not a restriction but just a module alias. If the module is already loaded it will still be usable for any family. Packets will of course simply get dropped by nf_queue(). If we really want to restrict this, we'd also have to restrict queueing verdict codes for other families. > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> > --- > net/netfilter/nft_queue.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/net/netfilter/nft_queue.c b/net/netfilter/nft_queue.c > index 96805d2..45b9f7f 100644 > --- a/net/netfilter/nft_queue.c > +++ b/net/netfilter/nft_queue.c > @@ -129,4 +129,5 @@ module_exit(nft_queue_module_exit); > > MODULE_LICENSE("GPL"); > MODULE_AUTHOR("Eric Leblond <eric@regit.org>"); > -MODULE_ALIAS_NFT_EXPR("queue"); > +MODULE_ALIAS_NFT_AF_EXPR(AF_INET, "queue"); > +MODULE_ALIAS_NFT_AF_EXPR(AF_INET6, "queue"); > -- > 1.7.10.4 > ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 1/2 nf] netfilter: nft_queue: restrict queueing to supported families 2015-06-26 8:02 ` [PATCH 1/2 nf] netfilter: nft_queue: restrict queueing to supported families Patrick McHardy @ 2015-06-26 8:36 ` Pablo Neira Ayuso 0 siblings, 0 replies; 4+ messages in thread From: Pablo Neira Ayuso @ 2015-06-26 8:36 UTC (permalink / raw) To: Patrick McHardy; +Cc: netfilter-devel On Fri, Jun 26, 2015 at 10:02:01AM +0200, Patrick McHardy wrote: > On 26.06, Pablo Neira Ayuso wrote: > > We only support IPv4 and IPv6 at this moment. > > That's not a restriction but just a module alias. If the module is > already loaded it will still be usable for any family. > > Packets will of course simply get dropped by nf_queue(). If we > really want to restrict this, we'd also have to restrict queueing > verdict codes for other families. I was trying to provide a simple way to avoid that users get this loaded into their ruleset meanwhile. ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-06-26 8:31 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2015-06-26 8:01 [PATCH 1/2 nf] netfilter: nft_queue: restrict queueing to supported families Pablo Neira Ayuso 2015-06-26 8:01 ` [PATCH 2/2 nf] netfilter: nfnetlink: keep going batch handling on missing modules Pablo Neira Ayuso 2015-06-26 8:02 ` [PATCH 1/2 nf] netfilter: nft_queue: restrict queueing to supported families Patrick McHardy 2015-06-26 8:36 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).