aboutsummaryrefslogtreecommitdiffstats
path: root/include/net
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2014-01-25 08:03:51 -0500
committerPablo Neira Ayuso <pablo@netfilter.org>2014-02-06 05:46:06 -0500
commit0165d9325d6a3cf856e2cbbe64a0f4635ac75893 (patch)
tree0e33bf5e9bac4ac772b45d41899ca16024c2ff7e /include/net
parentb8ecbee67c732ef9fc47fcf50aed6b7bb6231d98 (diff)
netfilter: nf_tables: fix racy rule deletion
We may lost race if we flush the rule-set (which happens asynchronously via call_rcu) and we try to remove the table (that userspace assumes to be empty). Fix this by recovering synchronous rule and chain deletion. This was introduced time ago before we had no batch support, and synchronous rule deletion performance was not good. Now that we have the batch support, we can just postpone the purge of old rule in a second step in the commit phase. All object deletions are synchronous after this patch. As a side effect, we save memory as we don't need rcu_head per rule anymore. Cc: Patrick McHardy <kaber@trash.net> Reported-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include/net')
-rw-r--r--include/net/netfilter/nf_tables.h4
1 files changed, 0 insertions, 4 deletions
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 0f68e47d3e5e..e7e14ffe0f6a 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -322,7 +322,6 @@ static inline void *nft_expr_priv(const struct nft_expr *expr)
322 * struct nft_rule - nf_tables rule 322 * struct nft_rule - nf_tables rule
323 * 323 *
324 * @list: used internally 324 * @list: used internally
325 * @rcu_head: used internally for rcu
326 * @handle: rule handle 325 * @handle: rule handle
327 * @genmask: generation mask 326 * @genmask: generation mask
328 * @dlen: length of expression data 327 * @dlen: length of expression data
@@ -330,7 +329,6 @@ static inline void *nft_expr_priv(const struct nft_expr *expr)
330 */ 329 */
331struct nft_rule { 330struct nft_rule {
332 struct list_head list; 331 struct list_head list;
333 struct rcu_head rcu_head;
334 u64 handle:46, 332 u64 handle:46,
335 genmask:2, 333 genmask:2,
336 dlen:16; 334 dlen:16;
@@ -391,7 +389,6 @@ enum nft_chain_flags {
391 * 389 *
392 * @rules: list of rules in the chain 390 * @rules: list of rules in the chain
393 * @list: used internally 391 * @list: used internally
394 * @rcu_head: used internally
395 * @net: net namespace that this chain belongs to 392 * @net: net namespace that this chain belongs to
396 * @table: table that this chain belongs to 393 * @table: table that this chain belongs to
397 * @handle: chain handle 394 * @handle: chain handle
@@ -403,7 +400,6 @@ enum nft_chain_flags {
403struct nft_chain { 400struct nft_chain {
404 struct list_head rules; 401 struct list_head rules;
405 struct list_head list; 402 struct list_head list;
406 struct rcu_head rcu_head;
407 struct net *net; 403 struct net *net;
408 struct nft_table *table; 404 struct nft_table *table;
409 u64 handle; 405 u64 handle;