On Fri, Dec 20, 2019 at 11:42:27AM +0800, wenxu wrote:
> On 12/20/2019 7:55 AM, Pablo Neira Ayuso wrote:
> > On Wed, Dec 18, 2019 at 10:59:12PM +0800, wenxu@xxxxxxxxx wrote:
> >> From: wenxu <wenxu@xxxxxxxxx>
> >>
> >> nf_tables_commit for NFT_MSG_NEWRULE
> >>
> >> The new create rule should be activated in the nf_tables_commit.
> >>
> >> create a flowtable:
> >> nft add table firewall
> >> nft add flowtable firewall fb1 { hook ingress priority 2 \; devices = { tun1, mlx_pf0vf0 } \; }
> >> nft add chain firewall ftb-all {type filter hook forward priority 0 \; policy accept \; }
> >> nft add rule firewall ftb-all ct zone 1 ip protocol tcp flow offload @fb1
> >> nft add rule firewall ftb-all ct zone 1 ip protocol udp flow offload @fb1
> >>
> >> delete the related rule:
> >> nft delete chain firewall ftb-all
> >>
> >> The flowtable can be deleted
> >> nft delete flowtable firewall fb1
> >>
> >> But failed with: Device is busy
> >>
> >> The nf_flowtable->use is not zero for no activated operation.
> > This is correct.
> >
> >> Signed-off-by: wenxu <wenxu@xxxxxxxxx>
[...]
> So the patch should be as following.
>
> static void nft_flow_offload_destroy(const struct nft_ctx *ctx,
> const struct nft_expr *expr)
> {
> struct nft_flow_offload *priv = nft_expr_priv(expr);
>
> - priv->flowtable->use--;
> nf_ct_netns_put(ctx->net, ctx->family);
> }
>
>
> The rule should be like the following?
>
>
> Create rule nft_xx_init inc the use counter, If the rule create
> failed just deactivate it
>
> Delete the rule deactivate dec the use counter, If the rule delete
> failed just activate it
That looks like the right fix.
Thanks.
