aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--include/net/netfilter/nf_tables.h2
-rw-r--r--net/netfilter/nf_tables_api.c24
2 files changed, 8 insertions, 18 deletions
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 845c596bf594..3ae969e3acf0 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -396,14 +396,12 @@ struct nft_rule {
396/** 396/**
397 * struct nft_trans - nf_tables object update in transaction 397 * struct nft_trans - nf_tables object update in transaction
398 * 398 *
399 * @rcu_head: rcu head to defer release of transaction data
400 * @list: used internally 399 * @list: used internally
401 * @msg_type: message type 400 * @msg_type: message type
402 * @ctx: transaction context 401 * @ctx: transaction context
403 * @data: internal information related to the transaction 402 * @data: internal information related to the transaction
404 */ 403 */
405struct nft_trans { 404struct nft_trans {
406 struct rcu_head rcu_head;
407 struct list_head list; 405 struct list_head list;
408 int msg_type; 406 int msg_type;
409 struct nft_ctx ctx; 407 struct nft_ctx ctx;
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 11ab4b078f3b..66e8425dbfe7 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -3484,13 +3484,8 @@ static void nft_chain_commit_update(struct nft_trans *trans)
3484 } 3484 }
3485} 3485}
3486 3486
3487/* Schedule objects for release via rcu to make sure no packets are accesing 3487static void nf_tables_commit_release(struct nft_trans *trans)
3488 * removed rules.
3489 */
3490static void nf_tables_commit_release_rcu(struct rcu_head *rt)
3491{ 3488{
3492 struct nft_trans *trans = container_of(rt, struct nft_trans, rcu_head);
3493
3494 switch (trans->msg_type) { 3489 switch (trans->msg_type) {
3495 case NFT_MSG_DELTABLE: 3490 case NFT_MSG_DELTABLE:
3496 nf_tables_table_destroy(&trans->ctx); 3491 nf_tables_table_destroy(&trans->ctx);
@@ -3612,10 +3607,11 @@ static int nf_tables_commit(struct sk_buff *skb)
3612 } 3607 }
3613 } 3608 }
3614 3609
3610 synchronize_rcu();
3611
3615 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) { 3612 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
3616 list_del(&trans->list); 3613 list_del(&trans->list);
3617 trans->ctx.nla = NULL; 3614 nf_tables_commit_release(trans);
3618 call_rcu(&trans->rcu_head, nf_tables_commit_release_rcu);
3619 } 3615 }
3620 3616
3621 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN); 3617 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
@@ -3623,13 +3619,8 @@ static int nf_tables_commit(struct sk_buff *skb)
3623 return 0; 3619 return 0;
3624} 3620}
3625 3621
3626/* Schedule objects for release via rcu to make sure no packets are accesing 3622static void nf_tables_abort_release(struct nft_trans *trans)
3627 * aborted rules.
3628 */
3629static void nf_tables_abort_release_rcu(struct rcu_head *rt)
3630{ 3623{
3631 struct nft_trans *trans = container_of(rt, struct nft_trans, rcu_head);
3632
3633 switch (trans->msg_type) { 3624 switch (trans->msg_type) {
3634 case NFT_MSG_NEWTABLE: 3625 case NFT_MSG_NEWTABLE:
3635 nf_tables_table_destroy(&trans->ctx); 3626 nf_tables_table_destroy(&trans->ctx);
@@ -3725,11 +3716,12 @@ static int nf_tables_abort(struct sk_buff *skb)
3725 } 3716 }
3726 } 3717 }
3727 3718
3719 synchronize_rcu();
3720
3728 list_for_each_entry_safe_reverse(trans, next, 3721 list_for_each_entry_safe_reverse(trans, next,
3729 &net->nft.commit_list, list) { 3722 &net->nft.commit_list, list) {
3730 list_del(&trans->list); 3723 list_del(&trans->list);
3731 trans->ctx.nla = NULL; 3724 nf_tables_abort_release(trans);
3732 call_rcu(&trans->rcu_head, nf_tables_abort_release_rcu);
3733 } 3725 }
3734 3726
3735 return 0; 3727 return 0;
generated by cgit v1.2.2 (git 2.25.0) at 2025-09-09 05:17:31 -0400