Message ID | 20230810070830.24064-2-pablo@netfilter.org |
---|---|
State | Not Applicable, archived |
Headers | show |
Series | [net,1/5] netfilter: nf_tables: don't skip expired elements during walk | expand |
Hello: This series was applied to netdev/net.git (main) by Pablo Neira Ayuso <pablo@netfilter.org>: On Thu, 10 Aug 2023 09:08:26 +0200 you wrote: > From: Florian Westphal <fw@strlen.de> > > There is an asymmetry between commit/abort and preparation phase if the > following conditions are met: > > 1. set is a verdict map ("1.2.3.4 : jump foo") > 2. timeouts are enabled > > [...] Here is the summary with links: - [net,1/5] netfilter: nf_tables: don't skip expired elements during walk https://git.kernel.org/netdev/net/c/24138933b97b - [net,2/5] netfilter: nf_tables: GC transaction API to avoid race with control plane https://git.kernel.org/netdev/net/c/5f68718b34a5 - [net,3/5] netfilter: nf_tables: adapt set backend to use GC transaction API https://git.kernel.org/netdev/net/c/f6c383b8c31a - [net,4/5] netfilter: nft_set_hash: mark set element as dead when deleting from packet path https://git.kernel.org/netdev/net/c/c92db3030492 - [net,5/5] netfilter: nf_tables: remove busy mark and gc batch API https://git.kernel.org/netdev/net/c/a2dd0233cbc4 You are awesome, thank you!
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index d3c6ecd1f5a6..b4321869e5c6 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -5602,8 +5602,12 @@ static int nf_tables_dump_setelem(const struct nft_ctx *ctx, const struct nft_set_iter *iter, struct nft_set_elem *elem) { + const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); struct nft_set_dump_args *args; + if (nft_set_elem_expired(ext)) + return 0; + args = container_of(iter, struct nft_set_dump_args, iter); return nf_tables_fill_setelem(args->skb, set, elem, args->reset); } diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c index 0b73cb0e752f..24caa31fa231 100644 --- a/net/netfilter/nft_set_hash.c +++ b/net/netfilter/nft_set_hash.c @@ -278,8 +278,6 @@ static void nft_rhash_walk(const struct nft_ctx *ctx, struct nft_set *set, if (iter->count < iter->skip) goto cont; - if (nft_set_elem_expired(&he->ext)) - goto cont; if (!nft_set_elem_active(&he->ext, iter->genmask)) goto cont; diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c index 49915a2a58eb..d54784ea465b 100644 --- a/net/netfilter/nft_set_pipapo.c +++ b/net/netfilter/nft_set_pipapo.c @@ -566,8 +566,7 @@ static struct nft_pipapo_elem *pipapo_get(const struct net *net, goto out; if (last) { - if (nft_set_elem_expired(&f->mt[b].e->ext) || - (genmask && + if ((genmask && !nft_set_elem_active(&f->mt[b].e->ext, genmask))) goto next_match; @@ -601,8 +600,17 @@ static struct nft_pipapo_elem *pipapo_get(const struct net *net, static void *nft_pipapo_get(const struct net *net, const struct nft_set *set, const struct nft_set_elem *elem, unsigned int flags) { - return pipapo_get(net, set, (const u8 *)elem->key.val.data, - nft_genmask_cur(net)); + struct nft_pipapo_elem *ret; + + ret = pipapo_get(net, set, (const u8 *)elem->key.val.data, + nft_genmask_cur(net)); + if (IS_ERR(ret)) + return ret; + + if (nft_set_elem_expired(&ret->ext)) + return ERR_PTR(-ENOENT); + + return ret; } /** @@ -2005,8 +2013,6 @@ static void nft_pipapo_walk(const struct nft_ctx *ctx, struct nft_set *set, goto cont; e = f->mt[r].e; - if (nft_set_elem_expired(&e->ext)) - goto cont; elem.priv = e; diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c index 8d73fffd2d09..39956e5341c9 100644 --- a/net/netfilter/nft_set_rbtree.c +++ b/net/netfilter/nft_set_rbtree.c @@ -552,8 +552,6 @@ static void nft_rbtree_walk(const struct nft_ctx *ctx, if (iter->count < iter->skip) goto cont; - if (nft_set_elem_expired(&rbe->ext)) - goto cont; if (!nft_set_elem_active(&rbe->ext, iter->genmask)) goto cont;