On Tue, Aug 04, 2015 at 11:09:17AM +0200, Patrick McHardy wrote: > On 04.08, Pablo Neira Ayuso wrote: > > The dumping of table objects can be inconsistent when interfering with the > > preparation phase of our 2-phase commit protocol because: > > > > 1) We remove objects from the lists during the preparation phase, that can be > > added re-added from the abort step. Thus, we may miss objects that are still > > active. > > > > 2) We add new objects to the lists during the preparation phase, so we may get > > objects that are not yet active with an internal flag set. > > > > We can resolve this problem with generation masks, as we already do for rules > > when we expose them to the packet path. > > > > After this change, we always obtain a consistent list as long as we stay in the > > same generation. The userspace side can detect interferences through the > > generation counter. If so, it needs to restart. > > > > As a result, we can get rid of the internal NFT_TABLE_INACTIVE flag. > > I have a similar patch queued up, however there seems to be something missing > in this patch. The lookup functions need to take the genmask into account. > Otherwise you can not delete and add a new table in the same batch. The same > holds for all other object types. I got what you meant, we have to skip the delete table when iterating over the list. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
