[{"id":3677820,"web_url":"http://patchwork.ozlabs.org/comment/3677820/","msgid":"<ad_6PaOwZJRHWgTd@strlen.de>","list_archive_url":null,"date":"2026-04-15T20:51:09","subject":"Re: [PATCH nf,v2 3/3] netfilter: nf_tables: add hook transactions\n for device deletions","submitter":{"id":1025,"url":"http://patchwork.ozlabs.org/api/people/1025/","name":"Florian Westphal","email":"fw@strlen.de"},"content":"Pablo Neira Ayuso <pablo@netfilter.org> wrote:\n> Restore the flag that indicates that the hook is going away, ie.\n> NFT_HOOK_REMOVE, but add a new transaction object to track deletion\n> of hooks without altering the basechain/flowtable hook_list during\n> the preparation phase.\n> \n> The existing approach that moves the hook from the basechain/flowtable\n> hook_list to transaction hook_list breaks netlink dump path readers\n> of this RCU-protected list.\n> \n> It should be possible use an array for nft_trans_hook to store the\n> deleted hooks to compact the representation but I am not expecting\n> many hook object, specially now that wildcard support for devices\n> is in place.\n> \n> Note that the nft_trans_chain_hooks() list contains a list of struct\n> nft_trans_hook objects for DELCHAIN and DELFLOWTABLE commands, while\n> this list stores struct nft_hook objects for NEWCHAIN and NEWFLOWTABLE.\n> Note that new commands can be updated to use nft_trans_hook for\n> consistency.\n> \n> Fixes: 7d937b107108 (\"netfilter: nf_tables: support for deleting devices in an existing netdev chain\")\n> Fixes: b6d9014a3335 (\"netfilter: nf_tables: delete flowtable hooks via transaction list\")\n> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>\n> ---\n> v2: no changes.\n> \n>  include/net/netfilter/nf_tables.h |  13 ++++\n>  net/netfilter/nf_tables_api.c     | 124 ++++++++++++++++++++++++++----\n>  2 files changed, 120 insertions(+), 17 deletions(-)\n> \n> diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h\n> index ec8a8ec9c0aa..3ec41574af77 100644\n> --- a/include/net/netfilter/nf_tables.h\n> +++ b/include/net/netfilter/nf_tables.h\n> @@ -1216,12 +1216,15 @@ struct nft_stats {\n>  \tstruct u64_stats_sync\tsyncp;\n>  };\n>  \n> +#define NFT_HOOK_REMOVE\t(1 << 0)\n> +\n>  struct nft_hook {\n>  \tstruct list_head\tlist;\n>  \tstruct list_head\tops_list;\n>  \tstruct rcu_head\t\trcu;\n>  \tchar\t\t\tifname[IFNAMSIZ];\n>  \tu8\t\t\tifnamelen;\n> +\tu8\t\t\tflags;\n>  };\n>  \n>  struct nf_hook_ops *nft_hook_find_ops(const struct nft_hook *hook,\n> @@ -1676,6 +1679,16 @@ struct nft_trans {\n>  \tu8\t\t\t\tput_net:1;\n>  };\n>  \n> +/**\n> + * struct nft_trans_hook - nf_tables hook update in transaction\n> + * @list: used internally\n> + * @hook: struct nft_hook with the device hook\n> + */\n> +struct nft_trans_hook {\n> +\tstruct list_head\t\tlist;\n> +\tstruct nft_hook\t\t\t*hook;\n> +};\n\nDo I get this correctly?\n\nnft_trans_container_flowtable(trans)->hook_list\nand\nnft_trans_container_chain(trans)->hook_list\n\nEither hold 'struct nft_hook' objects or nft_trans_hook objects?\nFormer when adding, latter when removing from existing base hook?\n\n> +\t\ttrans_hook = kmalloc(sizeof(*trans_hook), GFP_KERNEL);\n\nNote that 69050f8d6d07 (\"treewide: Replace kmalloc with kmalloc_obj for non-scalar types\")\ntransformed such allocation requests to use \"kmalloc_obj(*trans_hook, GFP_KERNEL);\"\ninstead.","headers":{"Return-Path":"\n <netfilter-devel+bounces-11941-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=172.105.105.114; helo=tor.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-11941-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=91.216.245.30","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=strlen.de"],"Received":["from tor.lore.kernel.org (tor.lore.kernel.org [172.105.105.114])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fwtbZ1wHJz1yHP\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 16 Apr 2026 06:51:22 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id 64C7D304C0EE\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 15 Apr 2026 20:51:20 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 8995138B7C9;\n\tWed, 15 Apr 2026 20:51:17 +0000 (UTC)","from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc\n [91.216.245.30])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 31A063845D9\n\tfor <netfilter-devel@vger.kernel.org>; Wed, 15 Apr 2026 20:51:14 +0000 (UTC)","by Chamillionaire.breakpoint.cc (Postfix, from userid 1003)\n\tid 252A660490; Wed, 15 Apr 2026 22:51:09 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776286277; cv=none;\n b=FBwpV9i7ODuY1Ke/hFAzrVAW054uxsU0OY4utnOb5QcifofcKZszaLGDEpopTAQSP3T8PGkEJp8/kx/pkgqPWzDhpg1sey1wZUVoXDht76BvVfEPMlSRPhgaK6IJYCDbvlvnoqZi8Vwk8hm3xoQ2zGiz2nP0D1ikYxZPu2Irwwg=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776286277; c=relaxed/simple;\n\tbh=nCBRKkWY2Jey9UVNjPsk+K/+jJvjpOpjd21vzCxWwrw=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=W331p+TUDzXLxed108oZcxTQvQeoO1QQLwmo3NQUwOUko+79FwJhME/u07c7W3300WhsgrxSi1tzLuaRFjZIxJd1Ry6MimFuwKd4UamM1jxh1O9QmywTPPR/UIrCFx8E85ehPhtoFMEkOecqHclzxKEfp0ZJ+KFsJ9KGbtPDj7A=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de;\n spf=pass smtp.mailfrom=strlen.de; arc=none smtp.client-ip=91.216.245.30","Date":"Wed, 15 Apr 2026 22:51:09 +0200","From":"Florian Westphal <fw@strlen.de>","To":"Pablo Neira Ayuso <pablo@netfilter.org>","Cc":"netfilter-devel@vger.kernel.org","Subject":"Re: [PATCH nf,v2 3/3] netfilter: nf_tables: add hook transactions\n for device deletions","Message-ID":"<ad_6PaOwZJRHWgTd@strlen.de>","References":"<20260415171038.41442-1-pablo@netfilter.org>\n <20260415171038.41442-2-pablo@netfilter.org>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"<netfilter-devel.vger.kernel.org>","List-Subscribe":"<mailto:netfilter-devel+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:netfilter-devel+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","Content-Type":"text/plain; charset=us-ascii","Content-Disposition":"inline","In-Reply-To":"<20260415171038.41442-2-pablo@netfilter.org>"}},{"id":3677822,"web_url":"http://patchwork.ozlabs.org/comment/3677822/","msgid":"<ad_9hYaAp1Sbj1G7@chamomile>","list_archive_url":null,"date":"2026-04-15T21:05:09","subject":"Re: [PATCH nf,v2 3/3] netfilter: nf_tables: add hook transactions\n for device deletions","submitter":{"id":1315,"url":"http://patchwork.ozlabs.org/api/people/1315/","name":"Pablo Neira Ayuso","email":"pablo@netfilter.org"},"content":"On Wed, Apr 15, 2026 at 10:51:09PM +0200, Florian Westphal wrote:\n> Pablo Neira Ayuso <pablo@netfilter.org> wrote:\n> > Restore the flag that indicates that the hook is going away, ie.\n> > NFT_HOOK_REMOVE, but add a new transaction object to track deletion\n> > of hooks without altering the basechain/flowtable hook_list during\n> > the preparation phase.\n> > \n> > The existing approach that moves the hook from the basechain/flowtable\n> > hook_list to transaction hook_list breaks netlink dump path readers\n> > of this RCU-protected list.\n> > \n> > It should be possible use an array for nft_trans_hook to store the\n> > deleted hooks to compact the representation but I am not expecting\n> > many hook object, specially now that wildcard support for devices\n> > is in place.\n> > \n> > Note that the nft_trans_chain_hooks() list contains a list of struct\n> > nft_trans_hook objects for DELCHAIN and DELFLOWTABLE commands, while\n> > this list stores struct nft_hook objects for NEWCHAIN and NEWFLOWTABLE.\n> > Note that new commands can be updated to use nft_trans_hook for\n> > consistency.\n> > \n> > Fixes: 7d937b107108 (\"netfilter: nf_tables: support for deleting devices in an existing netdev chain\")\n> > Fixes: b6d9014a3335 (\"netfilter: nf_tables: delete flowtable hooks via transaction list\")\n> > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>\n> > ---\n> > v2: no changes.\n> > \n> >  include/net/netfilter/nf_tables.h |  13 ++++\n> >  net/netfilter/nf_tables_api.c     | 124 ++++++++++++++++++++++++++----\n> >  2 files changed, 120 insertions(+), 17 deletions(-)\n> > \n> > diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h\n> > index ec8a8ec9c0aa..3ec41574af77 100644\n> > --- a/include/net/netfilter/nf_tables.h\n> > +++ b/include/net/netfilter/nf_tables.h\n> > @@ -1216,12 +1216,15 @@ struct nft_stats {\n> >  \tstruct u64_stats_sync\tsyncp;\n> >  };\n> >  \n> > +#define NFT_HOOK_REMOVE\t(1 << 0)\n> > +\n> >  struct nft_hook {\n> >  \tstruct list_head\tlist;\n> >  \tstruct list_head\tops_list;\n> >  \tstruct rcu_head\t\trcu;\n> >  \tchar\t\t\tifname[IFNAMSIZ];\n> >  \tu8\t\t\tifnamelen;\n> > +\tu8\t\t\tflags;\n> >  };\n> >  \n> >  struct nf_hook_ops *nft_hook_find_ops(const struct nft_hook *hook,\n> > @@ -1676,6 +1679,16 @@ struct nft_trans {\n> >  \tu8\t\t\t\tput_net:1;\n> >  };\n> >  \n> > +/**\n> > + * struct nft_trans_hook - nf_tables hook update in transaction\n> > + * @list: used internally\n> > + * @hook: struct nft_hook with the device hook\n> > + */\n> > +struct nft_trans_hook {\n> > +\tstruct list_head\t\tlist;\n> > +\tstruct nft_hook\t\t\t*hook;\n> > +};\n> \n> Do I get this correctly?\n> \n> nft_trans_container_flowtable(trans)->hook_list\n> and\n> nft_trans_container_chain(trans)->hook_list\n> \n> Either hold 'struct nft_hook' objects or nft_trans_hook objects?\n> Former when adding, latter when removing from existing base hook?\n\nAdd, update -> struct nft_hook\nDelete -> struct nft_trans_hook\n\nYes. I could add a separated list, but this list is exclusive for the\ntransaction object. Another option is a union to highlight how it is\nused, but it is not better than the current mixed semantics, which are\nnot ideal.\n\nAs a follow up, it should be possible to use nft_trans_hook for\nupdates too in nf-next for consistency.\n\n> > +\t\ttrans_hook = kmalloc(sizeof(*trans_hook), GFP_KERNEL);\n> \n> Note that 69050f8d6d07 (\"treewide: Replace kmalloc with kmalloc_obj for non-scalar types\")\n> transformed such allocation requests to use \"kmalloc_obj(*trans_hook, GFP_KERNEL);\"\n> instead.\n\nI will replace it to use the new kmalloc_obj().","headers":{"Return-Path":"\n <netfilter-devel+bounces-11942-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=netfilter.org header.i=@netfilter.org\n header.a=rsa-sha256 header.s=2025 header.b=BN1+Vxap;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=172.234.253.10; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-11942-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=\"BN1+Vxap\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=217.70.190.124","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=netfilter.org"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org [172.234.253.10])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fwtz3496Xz1yHP\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 16 Apr 2026 07:08:15 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id D02A530CA7F8\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 15 Apr 2026 21:05:17 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id F41EE2236F2;\n\tWed, 15 Apr 2026 21:05:16 +0000 (UTC)","from mail.netfilter.org (mail.netfilter.org [217.70.190.124])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id D3DD432E126\n\tfor <netfilter-devel@vger.kernel.org>; Wed, 15 Apr 2026 21:05:14 +0000 (UTC)","from netfilter.org (mail-agni [217.70.190.124])\n\tby mail.netfilter.org (Postfix) with UTF8SMTPSA id 556FE60179;\n\tWed, 15 Apr 2026 23:05:12 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776287116; cv=none;\n b=otxH/bLCYESFhKEhf6N2kCEPRDWelLd1DrtFWsgqWDD6N9+Jsmkd7XdmB2TKqSkcTB30XQ2ORq+eJQ+XvajiFrbdMK3AIf8cdc1m0eudw3PxNSg0hl9YNuTvV6VU6MVZjWEOx9/nfkW2yEtL9r0o46g391dj+f9IwEnlZHFznF8=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776287116; c=relaxed/simple;\n\tbh=/eVvfb8/C8kUFuTyoeLhPmkqaypi3fjfMIere346t4M=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=Uq6sOOeZzeTJ0xhm1xw3QNChg6743M5+iZZEggdwKOPDOr+afXwC/3b02BnsawM8FD33kvjoQtvVDk5/7/RMcL1f6S3nD+erzv2uc9UJ3NBCzjOQf6TPj1RrtzDgdDXixqof6tP4vY8E9SGEdORBm6Ot3biDD1FxrsfROhiqAp8=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org;\n spf=pass smtp.mailfrom=netfilter.org;\n dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=BN1+Vxap; arc=none smtp.client-ip=217.70.190.124","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org;\n\ts=2025; t=1776287112;\n\tbh=dfio/Z1nmstskWHxDhbghMcef7Ivh4JdWJdtQJHVcCc=;\n\th=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n\tb=BN1+Vxapa6wGEr1vUxdzdp5lUIAhdgThF9qRd2fBk2U89WgjTHUJpwYzSQmiIZjmC\n\t jxcl1SmZFgQyE0HyxL+s57DSrtrSn9XqH7qjV4PmpZMjZrhix1D4k0h8MvwRRPADPz\n\t RfQlNdy4qmZr2EXFAhwXUsXla5D7098hKvCdISbsVayQlX3GbDDgLyY3MkoFUcGRC/\n\t KoQjrXB9dNfXpTSlKSK4n5PkxBO1uprs6m6zeeiTVHtpMyTKIkLH3f/uKgUx/wcNjQ\n\t vscFeTQcK/dir/ngo0Xp2CDjMTs+AuOSX77NbumXO9+NaLejLLfUdc7l/bdriI8MDH\n\t jDM4/uFV6bYFQ==","Date":"Wed, 15 Apr 2026 23:05:09 +0200","From":"Pablo Neira Ayuso <pablo@netfilter.org>","To":"Florian Westphal <fw@strlen.de>","Cc":"netfilter-devel@vger.kernel.org","Subject":"Re: [PATCH nf,v2 3/3] netfilter: nf_tables: add hook transactions\n for device deletions","Message-ID":"<ad_9hYaAp1Sbj1G7@chamomile>","References":"<20260415171038.41442-1-pablo@netfilter.org>\n <20260415171038.41442-2-pablo@netfilter.org>\n <ad_6PaOwZJRHWgTd@strlen.de>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"<netfilter-devel.vger.kernel.org>","List-Subscribe":"<mailto:netfilter-devel+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:netfilter-devel+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","Content-Type":"text/plain; charset=utf-8","Content-Disposition":"inline","In-Reply-To":"<ad_6PaOwZJRHWgTd@strlen.de>"}}]