From: Thomas Haller <thaller@redhat.com>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: NetFilter <netfilter-devel@vger.kernel.org>
Subject: Re: [nft PATCH] src: use reentrant getprotobyname_r()/getprotobynumber_r()/getservbyport_r()
Date: Fri, 11 Aug 2023 14:58:48 +0200 [thread overview]
Message-ID: <c5d1ed7aa26a439314fd26a959fd03b77d7ee7c0.camel@redhat.com> (raw)
In-Reply-To: <ZNYng8dQBhk48kj9@calendula>
Hi Pablo,
On Fri, 2023-08-11 at 14:20 +0200, Pablo Neira Ayuso wrote:
> On Thu, Aug 10, 2023 at 02:30:30PM +0200, Thomas Haller wrote:
> > If the reentrant versions of the functions are available, use them
> > so
> > that libnftables is thread-safe in this regard.
>
> At netlink sequence tracking is not thread-safe, users hit EILSEQ
> errors when multiple threads recycle the same nft_ctx object. Updates
> are serialized by mutex per netns, batching is usually the way to go
> to amortize the cost of ruleset updates.
The problem already happens when one thread is using libnftables and
another thread calls one of those libc functions at an unfortunate
moment. It doesn't require multi-threaded uses of libnftables itself.
Also, why couldn't you have two threads, handling one netns each, with
separate nft_ctx objects?
> Are you planning to have a user of libnftables that is multi-thread?
No, I don't :) I was just interested in this topic.
Thomas
next prev parent reply other threads:[~2023-08-11 12:59 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-10 12:30 [nft PATCH] src: use reentrant getprotobyname_r()/getprotobynumber_r()/getservbyport_r() Thomas Haller
2023-08-10 21:48 ` Jan Engelhardt
2023-08-11 11:28 ` Thomas Haller
2023-08-11 12:20 ` Pablo Neira Ayuso
2023-08-11 12:58 ` Thomas Haller [this message]
2023-08-16 16:16 ` Pablo Neira Ayuso
2023-08-18 9:18 ` [nft PATCH v2] " Thomas Haller
2023-08-18 9:57 ` Pablo Neira Ayuso
2023-08-18 14:14 ` Thomas Haller
2023-08-18 16:10 ` Pablo Neira Ayuso
2023-08-18 16:23 ` Pablo Neira Ayuso
2023-08-18 17:38 ` Thomas Haller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c5d1ed7aa26a439314fd26a959fd03b77d7ee7c0.camel@redhat.com \
--to=thaller@redhat.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).