From: Simon Horman <horms@kernel.org>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel@vger.kernel.org, lorenzo@kernel.org,
netdev@vger.kernel.org
Subject: Re: [PATCH nf-next 1/8] netfilter: flowtable: move nf_flowtable out of container structures
Date: Thu, 23 Nov 2023 13:52:13 +0000 [thread overview]
Message-ID: <20231123135213.GE6339@kernel.org> (raw)
In-Reply-To: <20231121122800.13521-2-fw@strlen.de>
On Tue, Nov 21, 2023 at 01:27:44PM +0100, Florian Westphal wrote:
> struct nf_flowtable is currently wholly embedded in either nft_flowtable
> or tcf_ct_flow_table.
>
> In order to allow flowtable acceleration via XDP, the XDP program will
> need to map struct net_device to struct nf_flowtable.
>
> To make this work reliably, make a clear separation of the frontend
> (nft, tc) and backend (nf_flowtable) representation.
>
> In this first patch, amke it so nft_flowtable and tcf_ct_flow_table
> only store pointers to an nf_flowtable structure.
>
> The main goal is to have follow patches that allow us to keep the
> nf_flowtable structure around for a bit longer (e.g. until after
> an rcu grace period has elapesed) when the frontend(s) are tearing the
> structures down.
>
> At this time, things are fine, but when xdp programs might be using
> the nf_flowtable structure as well we will need a way to ensure that
> no such users exist anymore.
>
> Right now there is inufficient guarantee: nftables only ensures
> that the netfilter hooks are unregistered, and tc only ensures the
> tc actions have been removed.
>
> Any future kfunc might still be called in parallel from an XDP
> program. The easies way to resolve this is to let the nf_flowtable
> core handle release and module reference counting itself.
>
> Signed-off-by: Florian Westphal <fw@strlen.de>
...
> @@ -312,24 +313,29 @@ static int tcf_ct_flow_table_get(struct net *net, struct tcf_ct_params *params)
> if (err)
> goto err_insert;
>
> - ct_ft->nf_ft.type = &flowtable_ct;
> - ct_ft->nf_ft.flags |= NF_FLOWTABLE_HW_OFFLOAD |
> - NF_FLOWTABLE_COUNTER;
> - err = nf_flow_table_init(&ct_ft->nf_ft);
> + ct_ft->nf_ft = kzalloc(sizeof(*ct_ft->nf_ft), GFP_KERNEL);
> + if (!ct_ft->nf_ft)
> + goto err_alloc;
Hi Florian,
This branch will cause the function to return err, but err is 0 here.
Perhaps it should be set to a negative error value instead?
Flagged by Smatch.
> +
> + ct_ft->nf_ft->type = &flowtable_ct;
> + ct_ft->nf_ft->flags |= NF_FLOWTABLE_HW_OFFLOAD |
> + NF_FLOWTABLE_COUNTER;
> + err = nf_flow_table_init(ct_ft->nf_ft);
> if (err)
> goto err_init;
> - write_pnet(&ct_ft->nf_ft.net, net);
> + write_pnet(&ct_ft->nf_ft->net, net);
>
> __module_get(THIS_MODULE);
> out_unlock:
> params->ct_ft = ct_ft;
> - params->nf_ft = &ct_ft->nf_ft;
> + params->nf_ft = ct_ft->nf_ft;
> mutex_unlock(&zones_mutex);
>
> return 0;
>
> err_init:
> rhashtable_remove_fast(&zones_ht, &ct_ft->node, zones_params);
> + kfree(ct_ft->nf_ft);
> err_insert:
> kfree(ct_ft);
> err_alloc:
...
next prev parent reply other threads:[~2023-11-23 13:52 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-21 12:27 [PATCH nf-next 0/8] netfilter: make nf_flowtable lifetime differ from container struct Florian Westphal
2023-11-21 12:27 ` [PATCH nf-next 1/8] netfilter: flowtable: move nf_flowtable out of container structures Florian Westphal
2023-11-23 13:52 ` Simon Horman [this message]
2023-11-23 14:10 ` Florian Westphal
2023-11-25 8:26 ` Simon Horman
2023-11-25 8:36 ` Simon Horman
2023-11-21 12:27 ` [PATCH nf-next 2/8] netfilter: nf_flowtable: replace init callback with a create one Florian Westphal
2023-11-21 12:27 ` [PATCH nf-next 3/8] netfilter: nf_flowtable: make free a real free function Florian Westphal
2023-11-21 12:27 ` [PATCH nf-next 4/8] netfilter: nf_flowtable: delay flowtable release a second time Florian Westphal
2023-11-21 12:27 ` [PATCH nf-next 5/8] netfilter: nf_tables: reject flowtable hw offload for same device Florian Westphal
2023-11-21 12:27 ` [PATCH nf-next 6/8] netfilter: nf_tables: add xdp offload flag Florian Westphal
2023-11-21 12:27 ` [PATCH nf-next 7/8] netfilter: nf_tables: add flowtable map for xdp offload Florian Westphal
2023-11-21 14:25 ` Lorenzo Bianconi
2023-11-24 10:59 ` Toke Høiland-Jørgensen
2023-11-30 13:53 ` Florian Westphal
2023-11-30 14:17 ` Toke Høiland-Jørgensen
2023-11-21 12:27 ` [PATCH nf-next 8/8] netfilter: nf_tables: permit duplicate flowtable mappings Florian Westphal
2023-11-24 9:50 ` [PATCH nf-next 0/8] netfilter: make nf_flowtable lifetime differ from container struct Pablo Neira Ayuso
2023-11-24 9:55 ` Florian Westphal
2023-11-24 10:10 ` Pablo Neira Ayuso
2023-11-24 10:16 ` Florian Westphal
2023-11-24 10:48 ` Toke Høiland-Jørgensen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231123135213.GE6339@kernel.org \
--to=horms@kernel.org \
--cc=fw@strlen.de \
--cc=lorenzo@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).