netfilter: nf_tables: defer all object release via rcu

author Pablo Neira Ayuso <pablo@netfilter.org>

Wed, 9 Apr 2014 22:31:10 +0000 (00:31 +0200)

committer Pablo Neira Ayuso <pablo@netfilter.org>

Mon, 19 May 2014 10:06:13 +0000 (12:06 +0200)
author Pablo Neira Ayuso <pablo@netfilter.org>
Wed, 9 Apr 2014 22:31:10 +0000 (00:31 +0200)
committer Pablo Neira Ayuso <pablo@netfilter.org>
Mon, 19 May 2014 10:06:13 +0000 (12:06 +0200)
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h

index 1ed2797fb964877ed412b2bae1e62bd792c43375..7ee6ce6564aecc6b98eb6247e6d6c6263a3e130c 100644 (file)
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -393,12 +393,14 @@ struct nft_rule {
  /**
   *     struct nft_trans - nf_tables object update in transaction
   *
+ *     @rcu_head: rcu head to defer release of transaction data
   *     @list: used internally
   *     @msg_type: message type
   *     @ctx: transaction context
   *     @data: internal information related to the transaction
   */
  struct nft_trans {
+       struct rcu_head                 rcu_head;
         struct list_head                list;
         int                             msg_type;
         struct nft_ctx                  ctx;
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c

index 4147166ad17c45d636902262d40d74d10a35b481..e171c635d08cd3972eb5aad99874aff2f3f936bc 100644 (file)
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -3298,6 +3298,30 @@ static void nft_chain_commit_update(struct nft_trans *trans)
         }
  }
  
+/* Schedule objects for release via rcu to make sure no packets are accesing
+ * removed rules.
+ */
+static void nf_tables_commit_release_rcu(struct rcu_head *rt)
+{
+       struct nft_trans *trans = container_of(rt, struct nft_trans, rcu_head);
+
+       switch (trans->msg_type) {
+       case NFT_MSG_DELTABLE:
+               nf_tables_table_destroy(&trans->ctx);
+               break;
+       case NFT_MSG_DELCHAIN:
+               nf_tables_chain_destroy(trans->ctx.chain);
+               break;
+       case NFT_MSG_DELRULE:
+               nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
+               break;
+       case NFT_MSG_DELSET:
+               nft_set_destroy(nft_trans_set(trans));
+               break;
+       }
+       kfree(trans);
+}
+
  static int nf_tables_commit(struct sk_buff *skb)
  {
         struct net *net = sock_net(skb->sk);
@@ -3397,32 +3421,39 @@ static int nf_tables_commit(struct sk_buff *skb)
                 }
         }
  
-       /* Make sure we don't see any packet traversing old rules */
-       synchronize_rcu();
-
-       /* Now we can safely release unused old rules */
         list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
-               switch (trans->msg_type) {
-               case NFT_MSG_DELTABLE:
-                       nf_tables_table_destroy(&trans->ctx);
-                       break;
-               case NFT_MSG_DELCHAIN:
-                       nf_tables_chain_destroy(trans->ctx.chain);
-                       break;
-               case NFT_MSG_DELRULE:
-                       nf_tables_rule_destroy(&trans->ctx,
-                                              nft_trans_rule(trans));
-                       break;
-               case NFT_MSG_DELSET:
-                       nft_set_destroy(nft_trans_set(trans));
-                       break;
-               }
-               nft_trans_destroy(trans);
+               list_del(&trans->list);
+               trans->ctx.nla = NULL;
+               call_rcu(&trans->rcu_head, nf_tables_commit_release_rcu);
         }
  
         return 0;
  }
  
+/* Schedule objects for release via rcu to make sure no packets are accesing
+ * aborted rules.
+ */
+static void nf_tables_abort_release_rcu(struct rcu_head *rt)
+{
+       struct nft_trans *trans = container_of(rt, struct nft_trans, rcu_head);
+
+       switch (trans->msg_type) {
+       case NFT_MSG_NEWTABLE:
+               nf_tables_table_destroy(&trans->ctx);
+               break;
+       case NFT_MSG_NEWCHAIN:
+               nf_tables_chain_destroy(trans->ctx.chain);
+               break;
+       case NFT_MSG_NEWRULE:
+               nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
+               break;
+       case NFT_MSG_NEWSET:
+               nft_set_destroy(nft_trans_set(trans));
+               break;
+       }
+       kfree(trans);
+}
+
  static int nf_tables_abort(struct sk_buff *skb)
  {
         struct net *net = sock_net(skb->sk);
@@ -3495,26 +3526,10 @@ static int nf_tables_abort(struct sk_buff *skb)
                 }
         }
  
-       /* Make sure we don't see any packet accessing aborted rules */
-       synchronize_rcu();
-
         list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
-               switch (trans->msg_type) {
-               case NFT_MSG_NEWTABLE:
-                       nf_tables_table_destroy(&trans->ctx);
-                       break;
-               case NFT_MSG_NEWCHAIN:
-                       nf_tables_chain_destroy(trans->ctx.chain);
-                       break;
-               case NFT_MSG_NEWRULE:
-                       nf_tables_rule_destroy(&trans->ctx,
-                                              nft_trans_rule(trans));
-                       break;
-               case NFT_MSG_NEWSET:
-                       nft_set_destroy(nft_trans_set(trans));
-                       break;
-               }
-               nft_trans_destroy(trans);
+               list_del(&trans->list);
+               trans->ctx.nla = NULL;
+               call_rcu(&trans->rcu_head, nf_tables_abort_release_rcu);
         }
  
         return 0;
author	Pablo Neira Ayuso <pablo@netfilter.org>
	Wed, 9 Apr 2014 22:31:10 +0000 (00:31 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Mon, 19 May 2014 10:06:13 +0000 (12:06 +0200)
include/net/netfilter/nf_tables.h		patch \| blob \| history
net/netfilter/nf_tables_api.c		patch \| blob \| history