Hi,
This patchset contains updates for the new transaction infrastructure,
they are:
* Make sure that this releases objects in reverse order in the abort path
to avoid possible use after free. No need the reverse iteration this in
the commit path since they already come in the right order according
to object dependencies.
* Introduce locking to the rbtree that is used for interval sets.
* Allow to delete several objects using a batch, this updates the use
counter semantics applying the following rules:
1) If you add/delete a chain, it increments/decrements the table use counter.
2) If you add/delete a rule, it increments/decrements the chain use counter.
3) If you add/delete a set, it increments/decrements the table use counter.
4) If you bind an anonymous set to a rule, it decrements the table use
counter. This avoids an -EBUSY error since bound anonymous sets are
released quite late in the commit/abort path, from the rcu callback. This
should be safe since the rule updated the chain use counter, so it is not
possible to remove a table with bound anonymous sets. This rules does not
apply to unbound anonymous sets.
* Use atomic memory allocations in the anonymous set notification path from
the rcu callback.
Pablo Neira Ayuso (4):
netfilter: nf_tables: release objects in reverse order in the abort path
netfilter: nf_rbtree: introduce locking
netfilter: nf_tables: allow to delete several objects from a batch
netfilter: nf_tables: atomic allocation in set notifications from rcu callback
net/netfilter/nf_tables_api.c | 55 +++++++++++++++++++++++++++++------------
net/netfilter/nft_rbtree.c | 22 ++++++++++++++++-
2 files changed, 60 insertions(+), 17 deletions(-)
--
1.7.10.4
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
