netfilter: nf_tables: prepare set element accounting for async updates

Use atomic operations for the element count to avoid races with async
updates.

To properly handle the transactional semantics during netlink updates,
deleted but not yet committed elements are accounted for seperately and
are treated as being already removed. This means for the duration of
a netlink transaction, the limit might be exceeded by the amount of
elements deleted. Set implementations must be prepared to handle this.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 3 insertions, 1 deletions

diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index a785699329c9..746423332fcb 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -258,6 +258,7 @@ void nft_unregister_set(struct nft_set_ops *ops);
  *      @dtype: data type (verdict or numeric type defined by userspace)
  *      @size: maximum set size
  *      @nelems: number of elements
+ *      @ndeact: number of deactivated elements queued for removal
  *      @timeout: default timeout value in msecs
  *      @gc_int: garbage collection interval in msecs
  *      @policy: set parameterization (see enum nft_set_policies)
@@ -275,7 +276,8 @@ struct nft_set {
         u32                             ktype;
         u32                             dtype;
         u32                             size;
-        u32                             nelems;
+        atomic_t                        nelems;
+        u32                             ndeact;
         u64                             timeout;
         u32                             gc_int;
         u16                             policy;