From: Phil Sutter <phil@nwl.cc>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org, Eric Garver <e@erig.me>
Subject: Re: [nft PATCH v5 00/10] Cache update fix && intra-transaction rule references
Date: Wed, 5 Jun 2019 21:24:29 +0200 [thread overview]
Message-ID: <20190605192429.GX31548@orbyte.nwl.cc> (raw)
In-Reply-To: <20190605170541.g4mhpsn7k72qyeso@salvia>
Hi Pablo,
On Wed, Jun 05, 2019 at 07:05:41PM +0200, Pablo Neira Ayuso wrote:
> Thanks a lot for working on this, I have a few comments.
>
> On Tue, Jun 04, 2019 at 07:31:48PM +0200, Phil Sutter wrote:
> > Next round of combined cache update fix and intra-transaction rule
> > reference support.
>
> Patch 1 looks good.
>
> > Patch 2 is new, it avoids accidential cache updates when committing a
> > transaction containing flush ruleset command and kernel ruleset has
> > changed meanwhile.
>
> Patch 2: Could you provide an example scenario for this new patch?
Given the sample nft input:
| flush ruleset
| add table t
| add chain t c
| ...
First command causes call of cache_flush(), which updates cache->genid
from kernel. Third command causes call to cache_update(). If in between
these two another process has committed a change to kernel, kernel's
genid has bumped and cache_update() will populate the cache because
cache_is_updated() returns false.
From the top of my head I don't see where these stray cache entries
would lead to spurious errors but it is clearly false behaviour in cache
update logic.
> > Patch 3 is also new: If a transaction fails in kernel, local cache is
> > incorrect - drop it.
>
> Patch 3 looks good!
>
> Regarding patches 4, 5 and 6. I think we can skip them if we follow
> the approach described by [1], given there is only one single
> cache_update() call after that patchset, we don't need to do the
> "Restore local entries after cache update" logic.
>
> [1] https://marc.info/?l=netfilter-devel&m=155975322308042&w=2
The question is how we want to treat rule reference by index if cache is
outdated. We could be nice and recalculate the rule reference which
would require to rebuild the cache including own additions. We could
also just refer to the warning in nft.8 and do nothing about it. :)
> > Patch 9 is a new requirement for patch 10 due to relocation of new
> > functions.
> >
> > Patch 10 was changed, changelog included.
>
> Patch 10 looks fine. However, as said, I would like to avoid the patch
> dependencies 4, 5 and 6, they are adding more cache_update() calls and
> I think we should go in the opposite direction to end up with a more
> simple approach.
OK, so how to proceed from here? I see you've based your patch series
upon an earlier version of mine. If you provide me with a clean version,
I could apply the index reference stuff on top. Or something else?
Cheers, Phil
next prev parent reply other threads:[~2019-06-05 19:25 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-04 17:31 [nft PATCH v5 00/10] Cache update fix && intra-transaction rule references Phil Sutter
2019-06-04 17:31 ` [nft PATCH v5 01/10] src: Fix cache_flush() in cache_needs_more() logic Phil Sutter
2019-06-06 9:21 ` Pablo Neira Ayuso
2019-06-04 17:31 ` [nft PATCH v5 02/10] src: Utilize CMD_FLUSH for cache->cmd Phil Sutter
2019-06-04 17:31 ` [nft PATCH v5 03/10] libnftables: Drop cache in error case Phil Sutter
2019-06-06 9:21 ` Pablo Neira Ayuso
2019-06-04 17:31 ` [nft PATCH v5 04/10] libnftables: Keep list of commands in nft context Phil Sutter
2019-06-04 17:31 ` [nft PATCH v5 05/10] src: Make {table,chain}_not_found() public Phil Sutter
2019-06-04 17:31 ` [nft PATCH v5 06/10] src: Restore local entries after cache update Phil Sutter
2019-06-04 17:31 ` [nft PATCH v5 07/10] rule: Introduce rule_lookup_by_index() Phil Sutter
2019-06-04 17:31 ` [nft PATCH v5 08/10] src: Make cache_is_complete() public Phil Sutter
2019-06-04 17:31 ` [nft PATCH v5 09/10] include: Collect __stmt_binary_error() wrapper macros Phil Sutter
2019-06-04 17:31 ` [nft PATCH v5 10/10] src: Support intra-transaction rule references Phil Sutter
2019-06-05 17:05 ` [nft PATCH v5 00/10] Cache update fix && " Pablo Neira Ayuso
2019-06-05 19:24 ` Phil Sutter [this message]
2019-06-06 8:36 ` Pablo Neira Ayuso
2019-06-06 9:42 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190605192429.GX31548@orbyte.nwl.cc \
--to=phil@nwl.cc \
--cc=e@erig.me \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).