When xt_replace_table assigns the new ruleset pointer, it does not wait for other processors to finish with old ruleset. Instead it relies oni the counter sequence lock in get_counters() to do this. This works but this is very costly if system is busy as each counter read operation can possibly be restarted indefinitely. Instead, lets make xt_replace_table wait until all processors are known to not use the old ruleset anymore. This allows to read the old rule set counters without the sequence lock -- as we already know no cpu is using the ruleset anymore the counters can't change either. ipv4/netfilter/arp_tables.c | 22 ++++++++++++++++++++-- ipv4/netfilter/ip_tables.c | 23 +++++++++++++++++++++-- ipv6/netfilter/ip6_tables.c | 22 ++++++++++++++++++++-- netfilter/x_tables.c | 15 ++++++++++++--- 4 files changed, 73 insertions(+), 9 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
