From: Florian Westphal <fw@strlen.de>
To: <netfilter-devel@vger.kernel.org>
Subject: [PATCH xtables-nft 0/6] handle parallel restore case
Date: Tue, 23 Apr 2019 15:16:19 +0200 [thread overview]
Message-ID: <20190423131625.23377-1-fw@strlen.de> (raw)
This series handles the case of parallel iptables-nft-restore
invocations.
As xtables-nft ignores -w option (userspace-based serialization
lock), several nft instances can race.
In worse case, we can restore a ruleset twice, i.e. we get
duplicated rules:
1. "iptables-nft-restore < foo" is called for first time.
No tables exist, so we create a transaction that creates
the table/chains/rules.
2. "iptables-nft-restore < foo" is called in parallel.
If the timing is right, it will also find no existing table,
and will create a 2nd batch that adds rules.
If the 2nd version doesn't run in parallel, it will detect
that the table exists and will add a flush operation to the
batch.
The first patches are preparation work, the fix is coming in patch 5,
it uses the generation counter to detect when the transaction batch
was based off an old state.
In case kernel indicates the generation id doesn't match anymore,
we fetch the current state and will refresh the pending transaction
before re-try.
The refresh currently includes adding/removing flush and chain add
operations.
Last patch adds a test script for this.
Florian Westphal (6):
xtables: unify user chain add/flush for restore case
xtables: add skip flag to objects
xtables: add and use nft_build_cache
xtables: add and set "implict" flag on transaction objects
xtables: handle concurrent ruleset modifications
tests: add test script for race-free restore
nft-shared.h | 7
nft.c | 325 +++++++++++++-----
nft.h | 7
tests/shell/testcases/ipt-restore/0004-restore-race_0 | 119 ++++++
xtables-restore.c | 35 -
xtables-translate.c | 6
6 files changed, 379 insertions(+), 120 deletions(-)
next reply other threads:[~2019-04-23 13:22 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-23 13:16 Florian Westphal [this message]
2019-04-23 13:16 ` [PATCH xtables-nft 1/6] xtables: unify user chain add/flush for restore case Florian Westphal
2019-04-23 13:16 ` [PATCH xtables-nft 2/6] xtables: add skip flag to objects Florian Westphal
2019-04-23 13:16 ` [PATCH xtables-nft 3/6] xtables: add and use nft_build_cache Florian Westphal
2019-04-23 13:16 ` [PATCH xtables-nft 4/6] xtables: add and set "implict" flag on transaction objects Florian Westphal
2019-04-23 13:16 ` [PATCH xtables-nft 5/6] xtables: handle concurrent ruleset modifications Florian Westphal
2019-04-23 13:16 ` [PATCH xtables-nft 6/6] tests: add test script for race-free restore Florian Westphal
2019-04-26 17:05 ` [PATCH xtables-nft 0/6] handle parallel restore case Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190423131625.23377-1-fw@strlen.de \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).