From mboxrd@z Thu Jan 1 00:00:00 1970 From: Pablo Neira Ayuso Subject: Re: [PATCH nf-next] netns: add and use net_ns_barrier Date: Wed, 14 Jun 2017 10:41:47 +0200 Message-ID: <20170614084147.GC31030@salvia> References: <20170530093812.10712-1-fw@strlen.de> <87y3tcj3n7.fsf@xmission.com> <20170601085259.GA6067@breakpoint.cc> <20170613061656.GF18283@breakpoint.cc> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Florian Westphal , "Eric W. Biederman" , netfilter-devel@vger.kernel.org, Linux Kernel Network Developers To: Cong Wang Return-path: Received: from mail.us.es ([193.147.175.20]:59944 "EHLO mail.us.es" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753624AbdFNIlw (ORCPT ); Wed, 14 Jun 2017 04:41:52 -0400 Received: from antivirus1-rhel7.int (unknown [192.168.2.11]) by mail.us.es (Postfix) with ESMTP id B62E81F4B7E for ; Wed, 14 Jun 2017 10:41:41 +0200 (CEST) Received: from antivirus1-rhel7.int (localhost [127.0.0.1]) by antivirus1-rhel7.int (Postfix) with ESMTP id A43A8D191C for ; Wed, 14 Jun 2017 10:41:41 +0200 (CEST) Received: from antivirus1-rhel7.int (localhost [127.0.0.1]) by antivirus1-rhel7.int (Postfix) with ESMTP id AB028100A7D for ; Wed, 14 Jun 2017 10:41:39 +0200 (CEST) Content-Disposition: inline In-Reply-To: Sender: netfilter-devel-owner@vger.kernel.org List-ID: Hi! On Tue, Jun 13, 2017 at 09:35:20AM -0700, Cong Wang wrote: > On Mon, Jun 12, 2017 at 11:16 PM, Florian Westphal wrote: > > Cong Wang wrote: > >> On Thu, Jun 1, 2017 at 1:52 AM, Florian Westphal wrote: > >> > Joe described it nicely, problem is that after unload we may have > >> > conntracks that still have a nf_conn_help extension attached that > >> > has a pointer to a structure that resided in the (unloaded) module. > >> > >> Why not hold a refcnt for its module? > > > > That would work as well. > > > > I'm not sure its nice to disallow rmmod of helper modules if they are > > used by a connection however. > > I am _not_ suggesting to disallow rmmod. > > > > > Right now you can "rmmod nf_conntrack_foo" at any time and this should > > work just fine without first having to flush affected conntracks > > manually. > > My point is that since netns wq could invoke code of that module, > why it doesn't hold a refcnt of that module? > > I am not familiar with netfilter code base so not sure if that is > hard to do or not, but it looks more elegant than this barrier. Florian has added a new native interface to integrate helpers into nftables in a much better way than we do now, that allows much more fine grain configuration. This new interface bumps refcounts on helpers as you suggest. However, we still have to sort of keep the existing behaviour around, people has been relying on this rmmod feature to globally disable helpers. It's very old thing indeed and as you can see, very sparse grain for the netns era... But still I think we need this. So I'm inclined to take this, and keep an eye to deprecate this behaviour in a several years ahead once. Probably we can get rid of this barrier at some point.