Re: [PATCH nf-next,RFC 6/8] netfilter: nf_tables: use timestamp to check for set element timeout

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> @@ -10435,6 +10435,8 @@ static bool nf_tables_valid_genid(struct net *net, u32 genid)
>  	if (!genid_ok)
>  		mutex_unlock(&nft_net->commit_mutex);
> +	nft_net->tstamp = get_jiffies_64();
> +

I think this should be done while mutex is still held.
Not a big deal because time won't advance by a huge margin
in case another caller comes along right after the (!genid_ok)

>  static inline u32 nft_rhash_key(const void *data, u32 len, u32 seed)
> @@ -87,6 +88,7 @@ bool nft_rhash_lookup(const struct net *net, const struct nft_set *set,
>  		.genmask = nft_genmask_cur(net),
>  		.set	 = set,
>  		.key	 = key,
> +		.tstamp  = get_jiffies_64(),

Hmm.  This makes things significantly more complicated,
because of the 'lockless' vs. 'transactional update' problem.

It would help if we had a uniform way to tell which-is-what, e.g.
by passing the nft_ctx for the transactional case or similar.

But that this would be even more code churn, so I think its ok.

[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux