[ sorry accidentally dropped netfilter-devel ] On Fri, Feb 14, 2014 at 12:27:08PM +0100, Pablo Neira Ayuso wrote: > If some modules are missing while processing a rule batch, the updates > are aborted to start scratch since the nfnl lock was released. If the > rule-set contains this configuration (in this order): > > #1 rule using anonymous set > #2 rule requiring module autoload > > The anonymous set will be released when aborting. This patch fixes this > by passing a context variable (autoload) that can be used to decide if > the anonymous set has to be released or not. > > Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> > --- > I guess we can encapsulate that autoload into a context information structure > in the future in case any other information is needed in the rule destroy path > to make this look nicer. > > I started hacking on two patches to net-next, one to include table, chains and > set into the batch and follow up to add atomic updates for sets. @Patrick: I > think that should not interfer with your set enhancements. Wouldn't be a big problem, they're pretty much contained to newset(). Regarding this patch - I'd really prefer to just fix batches to include sets instead of changing all these function signatures just to handle this very specific case. I'm wondering how this will work in case of anonymous sets though, right now we need two transactions so userspace can attach the new set to the lookup expression. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
