At this time nf_tables will valiate all tables before committing the new rules. Unfortunately this has two drawbacks: 1. Since addition of the transaction mutex pernet state gets written to outside of the locked section from the cleanup callback, this is wrong so do this cleanup directly after table has passed all checks. 2. We revalidate tables that saw no changes. This can be avoided by keeping the validation state per table, not per net. Florian Westphal (2): netfilter: nf_tables: don't write table validation state without mutex netfilter: nf_tables: make validation state per table include/linux/netfilter/nfnetlink.h | 1 - include/net/netfilter/nf_tables.h | 3 +- net/netfilter/nf_tables_api.c | 44 +++++++++++++---------------- net/netfilter/nfnetlink.c | 2 -- 4 files changed, 21 insertions(+), 29 deletions(-) -- 2.39.2
