On Wed, Jan 17, 2024 at 5:00 PM Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
>
> From: Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxx>
>
> The patch "netfilter: ipset: fix race condition between swap/destroy
> and kernel side add/del/test", commit 28628fa9 fixes a race condition.
> But the synchronize_rcu() added to the swap function unnecessarily slows
> it down: it can safely be moved to destroy and use call_rcu() instead.
> Thus we can get back the same performance and preventing the race condition
> at the same time.
...
>
> @@ -2357,6 +2369,9 @@ ip_set_net_exit(struct net *net)
>
> inst->is_deleted = true; /* flag for ip_set_nfnl_put */
>
> + /* Wait for call_rcu() in destroy */
> + rcu_barrier();
> +
> nfnl_lock(NFNL_SUBSYS_IPSET);
> for (i = 0; i < inst->ip_set_max; i++) {
> set = ip_set(inst, i);
> --
> 2.30.2
>
If I am reading this right, time for netns dismantles will increase,
even for netns not using ipset
If there is no other option, please convert "struct pernet_operations
ip_set_net_ops".exit to an exit_batch() handler,
to at least have a factorized rcu_barrier();
