Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/1.1/patches/2223660/?format=api
{ "id": 2223660, "url": "http://patchwork.ozlabs.org/api/1.1/patches/2223660/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260415223309.95527-3-pablo@netfilter.org/", "project": { "id": 26, "url": "http://patchwork.ozlabs.org/api/1.1/projects/26/?format=api", "name": "Netfilter Development", "link_name": "netfilter-devel", "list_id": "netfilter-devel.vger.kernel.org", "list_email": "netfilter-devel@vger.kernel.org", "web_url": null, "scm_url": null, "webscm_url": null }, "msgid": "<20260415223309.95527-3-pablo@netfilter.org>", "date": "2026-04-15T22:33:09", "name": "[nf,v3,3/3] netfilter: nf_tables: add hook transactions for device deletions", "commit_ref": null, "pull_url": null, "state": "changes-requested", "archived": false, "hash": "b0a58fc3d8a7f0890566db1419f63bee29f1bcfe", "submitter": { "id": 1315, "url": "http://patchwork.ozlabs.org/api/1.1/people/1315/?format=api", "name": "Pablo Neira Ayuso", "email": "pablo@netfilter.org" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260415223309.95527-3-pablo@netfilter.org/mbox/", "series": [ { "id": 500049, "url": "http://patchwork.ozlabs.org/api/1.1/series/500049/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netfilter-devel/list/?series=500049", "date": "2026-04-15T22:33:07", "name": "[nf,v3,1/3] rculist: add list_splice_rcu() for private lists", "version": 3, "mbox": "http://patchwork.ozlabs.org/series/500049/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2223660/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2223660/checks/", "tags": {}, "headers": { "Return-Path": "\n <netfilter-devel+bounces-11945-incoming=patchwork.ozlabs.org@vger.kernel.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "netfilter-devel@vger.kernel.org" ], "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=netfilter.org header.i=@netfilter.org\n header.a=rsa-sha256 header.s=2025 header.b=lUOxTIze;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-11945-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)", "smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=\"lUOxTIze\"", "smtp.subspace.kernel.org;\n arc=none smtp.client-ip=217.70.190.124", "smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org", "smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=netfilter.org" ], "Received": [ "from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fwwyY3wQVz1yHP\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 16 Apr 2026 08:37:57 +1000 (AEST)", "from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id CAE28302ED70\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 15 Apr 2026 22:33:20 +0000 (UTC)", "from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id BFB0237FF6A;\n\tWed, 15 Apr 2026 22:33:19 +0000 (UTC)", "from mail.netfilter.org (mail.netfilter.org [217.70.190.124])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id B6DF52192F9\n\tfor <netfilter-devel@vger.kernel.org>; Wed, 15 Apr 2026 22:33:17 +0000 (UTC)", "from localhost.localdomain (mail-agni [217.70.190.124])\n\tby mail.netfilter.org (Postfix) with ESMTPSA id 9BEAF6017D;\n\tThu, 16 Apr 2026 00:33:15 +0200 (CEST)" ], "ARC-Seal": "i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776292399; cv=none;\n b=diBKsgpQI8WvrM8SSfI5g7BGOwzMglAkvh0zQemncxP4DPjlbMhcFiKaNUe0EgO2IXKnlBUvgYdT7Hyb6Ke+0dX19Ia6RwPaVhr7hubX6PoCAInVPtRT+qrIBET/VKoXy0D/pqZEcyRxiNZc9gVudZRjasQfWBKjje2nQFvH29E=", "ARC-Message-Signature": "i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776292399; c=relaxed/simple;\n\tbh=OIkN0otQjUhbXT3pNaQkwAjWRosSp4HdDj/j/U1QruU=;\n\th=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:\n\t MIME-Version;\n b=aJdE568AM/2vx5GacNk79EX2770St5ySbEbzFuiDdk+t5+O+Djw/lqDX33VNH7Obx0vgFgFIh3fBt3OHMGd7+OwHQ6bXL4iBDHh/7Z16a4jODGV4SZE12uCDdWb6OO7yrM/k2pvWH5UuaYGXZoHUsuGYR1aDrxo40LOsQy67KTk=", "ARC-Authentication-Results": "i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org;\n spf=pass smtp.mailfrom=netfilter.org;\n dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=lUOxTIze; arc=none smtp.client-ip=217.70.190.124", "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org;\n\ts=2025; t=1776292395;\n\tbh=QmtKylC+mxeYJuiPQRemHRhXScKrAiy74bCu9w4QzRM=;\n\th=From:To:Cc:Subject:Date:In-Reply-To:References:From;\n\tb=lUOxTIzeoREbRhRX/vNHBzk3i+DNXL+etKzpVVFMVfoK23VEd/mHN8bz7l00px6Nh\n\t Y8Pp12SkqdXcrtFr0WEfLXQpQwhTCzOyiD4SE+rqAKSUMzfTNvMsu8eczK0lFa0Y1f\n\t uRtOuL6tU21jBjuytlhyzA5GAJ2JMiVzPKGVsFGuqD/Afs8B+oZ9GaLU+fh04VH+Y9\n\t a/644z5Ej7ut6+AnjP/kfSp2Ornl5S6srZlIVfq6Yb/tBgIPR8hVqbx9dR7eddWsIY\n\t YpEYeyIZcFG3QKpa3TbOty4bovSbS6nFnSLGqckHlsFgwluR2w1uGmLnWkzCJeG3ef\n\t qmnYizIDx14GA==", "From": "Pablo Neira Ayuso <pablo@netfilter.org>", "To": "netfilter-devel@vger.kernel.org", "Cc": "fw@strlen.de", "Subject": "[PATCH nf,v3 3/3] netfilter: nf_tables: add hook transactions for\n device deletions", "Date": "Thu, 16 Apr 2026 00:33:09 +0200", "Message-ID": "<20260415223309.95527-3-pablo@netfilter.org>", "X-Mailer": "git-send-email 2.47.3", "In-Reply-To": "<20260415223309.95527-1-pablo@netfilter.org>", "References": "<20260415223309.95527-1-pablo@netfilter.org>", "Precedence": "bulk", "X-Mailing-List": "netfilter-devel@vger.kernel.org", "List-Id": "<netfilter-devel.vger.kernel.org>", "List-Subscribe": "<mailto:netfilter-devel+subscribe@vger.kernel.org>", "List-Unsubscribe": "<mailto:netfilter-devel+unsubscribe@vger.kernel.org>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit" }, "content": "Restore the flag that indicates that the hook is going away, ie.\nNFT_HOOK_REMOVE, but add a new transaction object to track deletion\nof hooks without altering the basechain/flowtable hook_list during\nthe preparation phase.\n\nThe existing approach that moves the hook from the basechain/flowtable\nhook_list to transaction hook_list breaks netlink dump path readers\nof this RCU-protected list.\n\nIt should be possible use an array for nft_trans_hook to store the\ndeleted hooks to compact the representation but I am not expecting\nmany hook object, specially now that wildcard support for devices\nis in place.\n\nNote that the nft_trans_chain_hooks() list contains a list of struct\nnft_trans_hook objects for DELCHAIN and DELFLOWTABLE commands, while\nthis list stores struct nft_hook objects for NEWCHAIN and NEWFLOWTABLE.\nNote that new commands can be updated to use nft_trans_hook for\nconsistency.\n\nFixes: 7d937b107108 (\"netfilter: nf_tables: support for deleting devices in an existing netdev chain\")\nFixes: b6d9014a3335 (\"netfilter: nf_tables: delete flowtable hooks via transaction list\")\nSigned-off-by: Pablo Neira Ayuso <pablo@netfilter.org>\n---\nv3: rebased on top of (\"netfilter: nf_tables: use list_del_rcu for netlink hooks\")\n add several helper functions to reduce copy-and-paste pattern\n\n include/net/netfilter/nf_tables.h | 13 ++++\n net/netfilter/nf_tables_api.c | 118 +++++++++++++++++++++++++-----\n 2 files changed, 114 insertions(+), 17 deletions(-)", "diff": "diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h\nindex ec8a8ec9c0aa..3ec41574af77 100644\n--- a/include/net/netfilter/nf_tables.h\n+++ b/include/net/netfilter/nf_tables.h\n@@ -1216,12 +1216,15 @@ struct nft_stats {\n \tstruct u64_stats_sync\tsyncp;\n };\n \n+#define NFT_HOOK_REMOVE\t(1 << 0)\n+\n struct nft_hook {\n \tstruct list_head\tlist;\n \tstruct list_head\tops_list;\n \tstruct rcu_head\t\trcu;\n \tchar\t\t\tifname[IFNAMSIZ];\n \tu8\t\t\tifnamelen;\n+\tu8\t\t\tflags;\n };\n \n struct nf_hook_ops *nft_hook_find_ops(const struct nft_hook *hook,\n@@ -1676,6 +1679,16 @@ struct nft_trans {\n \tu8\t\t\t\tput_net:1;\n };\n \n+/**\n+ * struct nft_trans_hook - nf_tables hook update in transaction\n+ * @list: used internally\n+ * @hook: struct nft_hook with the device hook\n+ */\n+struct nft_trans_hook {\n+\tstruct list_head\t\tlist;\n+\tstruct nft_hook\t\t\t*hook;\n+};\n+\n /**\n * struct nft_trans_binding - nf_tables object with binding support in transaction\n * @nft_trans: base structure, MUST be first member\ndiff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c\nindex 8c0706d6d887..5f6f91e5d6da 100644\n--- a/net/netfilter/nf_tables_api.c\n+++ b/net/netfilter/nf_tables_api.c\n@@ -380,6 +380,29 @@ static void nft_netdev_hook_unlink_free_rcu(struct nft_hook *hook)\n \tnft_netdev_hook_free_rcu(hook);\n }\n \n+static void nft_trans_hook_unlink_free(struct nft_trans_hook *trans_hook)\n+{\n+\tlist_del(&trans_hook->list);\n+\tkfree(trans_hook);\n+}\n+\n+static void nft_netdev_unregister_trans_hook(struct net *net,\n+\t\t\t\t\t struct list_head *hook_list)\n+{\n+\tstruct nft_trans_hook *trans_hook, *next;\n+\tstruct nf_hook_ops *ops;\n+\tstruct nft_hook *hook;\n+\n+\tlist_for_each_entry_safe(trans_hook, next, hook_list, list) {\n+\t\thook = trans_hook->hook;\n+\t\tlist_for_each_entry(ops, &hook->ops_list, list)\n+\t\t\tnf_unregister_net_hook(net, ops);\n+\n+\t\tnft_netdev_hook_unlink_free_rcu(hook);\n+\t\tnft_trans_hook_unlink_free(trans_hook);\n+\t}\n+}\n+\n static void nft_netdev_unregister_hooks(struct net *net,\n \t\t\t\t\tstruct list_head *hook_list,\n \t\t\t\t\tbool release_netdev)\n@@ -2397,8 +2420,12 @@ static struct nft_hook *nft_hook_list_find(struct list_head *hook_list,\n \n \tlist_for_each_entry(hook, hook_list, list) {\n \t\tif (!strncmp(hook->ifname, this->ifname,\n-\t\t\t min(hook->ifnamelen, this->ifnamelen)))\n+\t\t\t min(hook->ifnamelen, this->ifnamelen))) {\n+\t\t\tif (hook->flags & NFT_HOOK_REMOVE)\n+\t\t\t\tcontinue;\n+\n \t\t\treturn hook;\n+\t\t}\n \t}\n \n \treturn NULL;\n@@ -3157,6 +3184,32 @@ static int nf_tables_newchain(struct sk_buff *skb, const struct nfnl_info *info,\n \treturn nf_tables_addchain(&ctx, family, policy, flags, extack);\n }\n \n+static int nft_trans_delhook(struct nft_hook *hook,\n+\t\t\t struct list_head *del_list)\n+{\n+\tstruct nft_trans_hook *trans_hook;\n+\n+\ttrans_hook = kmalloc_obj(*trans_hook, GFP_KERNEL);\n+\tif (!trans_hook)\n+\t\treturn -ENOMEM;\n+\n+\ttrans_hook->hook = hook;\n+\tlist_add_tail(&trans_hook->list, del_list);\n+\thook->flags |= NFT_HOOK_REMOVE;\n+\n+\treturn 0;\n+}\n+\n+static void nft_trans_delhook_release(struct list_head *del_list)\n+{\n+\tstruct nft_trans_hook *trans_hook, *next;\n+\n+\tlist_for_each_entry_safe(trans_hook, next, del_list, list) {\n+\t\ttrans_hook->hook->flags &= ~NFT_HOOK_REMOVE;\n+\t\tnft_trans_hook_unlink_free(trans_hook);\n+\t}\n+}\n+\n static int nft_delchain_hook(struct nft_ctx *ctx,\n \t\t\t struct nft_base_chain *basechain,\n \t\t\t struct netlink_ext_ack *extack)\n@@ -3183,7 +3236,10 @@ static int nft_delchain_hook(struct nft_ctx *ctx,\n \t\t\terr = -ENOENT;\n \t\t\tgoto err_chain_del_hook;\n \t\t}\n-\t\tlist_move(&hook->list, &chain_del_list);\n+\t\tif (nft_trans_delhook(hook, &chain_del_list) < 0) {\n+\t\t\terr = -ENOMEM;\n+\t\t\tgoto err_chain_del_hook;\n+\t\t}\n \t}\n \n \ttrans = nft_trans_alloc_chain(ctx, NFT_MSG_DELCHAIN);\n@@ -3203,7 +3259,7 @@ static int nft_delchain_hook(struct nft_ctx *ctx,\n \treturn 0;\n \n err_chain_del_hook:\n-\tlist_splice(&chain_del_list, &basechain->hook_list);\n+\tnft_trans_delhook_release(&chain_del_list);\n \tnft_chain_release_hook(&chain_hook);\n \n \treturn err;\n@@ -8984,6 +9040,16 @@ static int nft_register_flowtable_net_hooks(struct net *net,\n \treturn err;\n }\n \n+static void nft_hooks_trans_destroy(struct list_head *hook_list)\n+{\n+\tstruct nft_trans_hook *trans_hook, *next;\n+\n+\tlist_for_each_entry_safe(trans_hook, next, hook_list, list) {\n+\t\tnft_netdev_hook_unlink_free_rcu(trans_hook->hook);\n+\t\tnft_trans_hook_unlink_free(trans_hook);\n+\t}\n+}\n+\n static void nft_hooks_destroy(struct list_head *hook_list)\n {\n \tstruct nft_hook *hook, *next;\n@@ -8992,6 +9058,24 @@ static void nft_hooks_destroy(struct list_head *hook_list)\n \t\tnft_netdev_hook_unlink_free_rcu(hook);\n }\n \n+static void nft_flowtable_unregister_trans_hook(struct net *net,\n+\t\t\t\t\t\tstruct nft_flowtable *flowtable,\n+\t\t\t\t\t\tstruct list_head *hook_list)\n+{\n+\tstruct nft_trans_hook *trans_hook, *next;\n+\tstruct nf_hook_ops *ops;\n+\tstruct nft_hook *hook;\n+\n+\tlist_for_each_entry_safe(trans_hook, next, hook_list, list) {\n+\t\thook = trans_hook->hook;\n+\t\tlist_for_each_entry(ops, &hook->ops_list, list)\n+\t\t\tnft_unregister_flowtable_ops(net, flowtable, ops);\n+\n+\t\tnft_netdev_hook_unlink_free_rcu(hook);\n+\t\tnft_trans_hook_unlink_free(trans_hook);\n+\t}\n+}\n+\n static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh,\n \t\t\t\tstruct nft_flowtable *flowtable,\n \t\t\t\tstruct netlink_ext_ack *extack)\n@@ -9250,7 +9334,10 @@ static int nft_delflowtable_hook(struct nft_ctx *ctx,\n \t\t\terr = -ENOENT;\n \t\t\tgoto err_flowtable_del_hook;\n \t\t}\n-\t\tlist_move(&hook->list, &flowtable_del_list);\n+\t\tif (nft_trans_delhook(hook, &flowtable_del_list) < 0) {\n+\t\t\terr = -ENOMEM;\n+\t\t\tgoto err_flowtable_del_hook;\n+\t\t}\n \t}\n \n \ttrans = nft_trans_alloc(ctx, NFT_MSG_DELFLOWTABLE,\n@@ -9271,7 +9358,7 @@ static int nft_delflowtable_hook(struct nft_ctx *ctx,\n \treturn 0;\n \n err_flowtable_del_hook:\n-\tlist_splice(&flowtable_del_list, &flowtable->hook_list);\n+\tnft_trans_delhook_release(&flowtable_del_list);\n \tnft_flowtable_hook_release(&flowtable_hook);\n \n \treturn err;\n@@ -10104,7 +10191,7 @@ static void nft_commit_release(struct nft_trans *trans)\n \tcase NFT_MSG_DELCHAIN:\n \tcase NFT_MSG_DESTROYCHAIN:\n \t\tif (nft_trans_chain_update(trans))\n-\t\t\tnft_hooks_destroy(&nft_trans_chain_hooks(trans));\n+\t\t\tnft_hooks_trans_destroy(&nft_trans_chain_hooks(trans));\n \t\telse\n \t\t\tnf_tables_chain_destroy(nft_trans_chain(trans));\n \t\tbreak;\n@@ -10127,7 +10214,7 @@ static void nft_commit_release(struct nft_trans *trans)\n \tcase NFT_MSG_DELFLOWTABLE:\n \tcase NFT_MSG_DESTROYFLOWTABLE:\n \t\tif (nft_trans_flowtable_update(trans))\n-\t\t\tnft_hooks_destroy(&nft_trans_flowtable_hooks(trans));\n+\t\t\tnft_hooks_trans_destroy(&nft_trans_flowtable_hooks(trans));\n \t\telse\n \t\t\tnf_tables_flowtable_destroy(nft_trans_flowtable(trans));\n \t\tbreak;\n@@ -10920,9 +11007,8 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb)\n \t\t\t\tnf_tables_chain_notify(&ctx, NFT_MSG_DELCHAIN,\n \t\t\t\t\t\t &nft_trans_chain_hooks(trans));\n \t\t\t\tif (!(table->flags & NFT_TABLE_F_DORMANT)) {\n-\t\t\t\t\tnft_netdev_unregister_hooks(net,\n-\t\t\t\t\t\t\t\t &nft_trans_chain_hooks(trans),\n-\t\t\t\t\t\t\t\t true);\n+\t\t\t\t\tnft_netdev_unregister_trans_hook(net,\n+\t\t\t\t\t\t\t\t &nft_trans_chain_hooks(trans));\n \t\t\t\t}\n \t\t\t} else {\n \t\t\t\tnft_chain_del(nft_trans_chain(trans));\n@@ -11052,9 +11138,9 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb)\n \t\t\t\t\t\t\t nft_trans_flowtable(trans),\n \t\t\t\t\t\t\t &nft_trans_flowtable_hooks(trans),\n \t\t\t\t\t\t\t trans->msg_type);\n-\t\t\t\tnft_unregister_flowtable_net_hooks(net,\n-\t\t\t\t\t\t\t\t nft_trans_flowtable(trans),\n-\t\t\t\t\t\t\t\t &nft_trans_flowtable_hooks(trans));\n+\t\t\t\tnft_flowtable_unregister_trans_hook(net,\n+\t\t\t\t\t\t\t\t nft_trans_flowtable(trans),\n+\t\t\t\t\t\t\t\t &nft_trans_flowtable_hooks(trans));\n \t\t\t} else {\n \t\t\t\tlist_del_rcu(&nft_trans_flowtable(trans)->list);\n \t\t\t\tnf_tables_flowtable_notify(&ctx,\n@@ -11223,8 +11309,7 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)\n \t\tcase NFT_MSG_DELCHAIN:\n \t\tcase NFT_MSG_DESTROYCHAIN:\n \t\t\tif (nft_trans_chain_update(trans)) {\n-\t\t\t\tlist_splice(&nft_trans_chain_hooks(trans),\n-\t\t\t\t\t &nft_trans_basechain(trans)->hook_list);\n+\t\t\t\tnft_trans_delhook_release(&nft_trans_chain_hooks(trans));\n \t\t\t} else {\n \t\t\t\tnft_use_inc_restore(&table->use);\n \t\t\t\tnft_clear(trans->net, nft_trans_chain(trans));\n@@ -11338,8 +11423,7 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)\n \t\tcase NFT_MSG_DELFLOWTABLE:\n \t\tcase NFT_MSG_DESTROYFLOWTABLE:\n \t\t\tif (nft_trans_flowtable_update(trans)) {\n-\t\t\t\tlist_splice(&nft_trans_flowtable_hooks(trans),\n-\t\t\t\t\t &nft_trans_flowtable(trans)->hook_list);\n+\t\t\t\tnft_trans_delhook_release(&nft_trans_flowtable_hooks(trans));\n \t\t\t} else {\n \t\t\t\tnft_use_inc_restore(&table->use);\n \t\t\t\tnft_clear(trans->net, nft_trans_flowtable(trans));\n", "prefixes": [ "nf", "v3", "3/3" ] }