Hi,
This batch contains updates for set infrastructure in nf_tables.
Patch #1 no need to call pipapo_deactivate() from .flush path, instead
use the e->ext that is passed as argument to make the element
inactive in the next generation.
Patch #2 turn set backend .flush to void, it always succeeds.
Patch #3 add struct nft_elem_priv placeholder and use it instead of
void * to expose the opaque set element representation from
the nf_tables frontend.
Patch #4 use struct nft_elem_priv instead of struct nft_set_elem in
transactions, this shrinks set element transaction object
to fit into kmalloc-128.
Patch #5 pass struct nft_elem_priv instead of nft_set_ext to .insert,
this is in preparation for set timeout updates support.
Patch #6 use timestamp to check if element has expired from transaction
path, that is .insert, .deactivate and sync gc paths. The
timestamp ensures that element are consistently evaluated
as alive / expired while handling the transaction.
Patch #7 always add timeout extensions to set elements that use default
set timeout, as with support to update set elements, element
timeout could be updated to use something different than default
set timeout.
Patch #8 Support for set element timeout updates. This requires no
userspace updates. This calls .insert on the element, if it returns
EEXIST, then it creates a transaction using the existing
struct nft_elem_priv that represents the object.
This has survived 3+3 hours of 30s-stress and tests/shell runs with all
debugging instrumentation being enabled. I still have to modify existing tests
to make sure existing torture tests are exercising set element updates.
Batch can be splitted in three smaller batches to be upstreamed, because they
are unrelated although they all were made to clear the path to support for
element timeout updates.
Pablo Neira Ayuso (8):
netfilter: nft_set_pipapo: no need to call pipapo_deactivate() from flush
netfilter: nf_tables: set backend .flush always succeeds
netfilter: nf_tables: expose opaque set element as struct nft_elem_priv
netfilter: nf_tables: shrink memory consumption of set elements
netfilter: nf_tables: set->ops->insert returns opaque set element in case of EEXIST
netfilter: nf_tables: use timestamp to check for set element timeout
netfilter: nf_tables: add timeout extension to elements to prepare for updates
netfilter: nf_tables: set element timeout update support
include/net/netfilter/nf_tables.h | 91 ++++++---
net/netfilter/nf_tables_api.c | 296 ++++++++++++++++--------------
net/netfilter/nft_dynset.c | 23 +--
net/netfilter/nft_set_bitmap.c | 51 +++--
net/netfilter/nft_set_hash.c | 113 ++++++------
net/netfilter/nft_set_pipapo.c | 86 ++++-----
net/netfilter/nft_set_pipapo.h | 4 +-
net/netfilter/nft_set_rbtree.c | 75 ++++----
8 files changed, 406 insertions(+), 333 deletions(-)
--
2.30.2
